Re: [Cryptography] Sha3

2013-10-05 Thread Dan Kaminsky
Because not being fast enough means you don't ship. You don't ship, you didn't secure anything. Performance will in fact trump security. This is the empirical reality. There's some budget for performance loss. But we have lots and lots of slow functions. Fast is the game. (Now, whether my

1280-Bit RSA

2010-07-09 Thread Dan Kaminsky
All, I've got a perfect vs. good question. NIST is pushing RSA-2048. And I think we all agree that's probably a good thing. However, performance on RSA-2048 is too low for a number of real world uses. Assuming RSA-2048 is unavailable, is it worth taking the intermediate step of

Re: [TIME_WARP] 1280-Bit RSA

2010-07-09 Thread Dan Kaminsky
Dan, I looked at the GNFS runtime and plugged a few numbers in. It seems RSA Security is using a more conservative constant of about 1.8 rather than the suggested 1.92299... See: So using 1.8, a 1024 bit RSA key is roughly equivalent to

Re: OpenID/Debian PRNG/DNS Cache poisoning advisory

2008-08-08 Thread Dan Kaminsky
Eric Rescorla wrote: At Fri, 8 Aug 2008 17:31:15 +0100, Dave Korn wrote: Eric Rescorla wrote on 08 August 2008 16:06: At Fri, 8 Aug 2008 11:50:59 +0100, Ben Laurie wrote: However, since the CRLs will almost certainly not be checked, this means the site will still be

Re: Toshiba shows 2Mbps hardware RNG

2008-02-15 Thread Dan Kaminsky
Peter Gutmann wrote: David G. Koontz [EMAIL PROTECTED] writes: Military silicon already has RNG on chip (e.g. AIM, Advanced INFOSEC Machine, Motorola), That's only a part of it. Military silicon has a hardware RNG on chip alongside a range of other things because they know full

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

2008-02-01 Thread Dan Kaminsky
(as if anyone uses client certificates anyway)? Guess why so few people are using it ... If it were secure, more people would be able to use it. People don't use it because the workload of getting signed up is vastly beyond their skillset, and the user experience using the things

Re: Death of antivirus software imminent

2008-01-04 Thread Dan Kaminsky
Crypto solves certain problems very well. Against others, it's worse than useless -- worse, because it blocks out friendly IDSs as well as hostile parties. Yawn. IDS is dead, has been for a while now. The bottom line discovery has been that: 1) Anomaly detection doesn't work because

Re: MD5 Collision, Visualised

2005-08-31 Thread Dan Kaminsky
Ben Laurie wrote: I wrote some code to show the internal state of MD5 during a collision... Cheers, Ben. Ben-- Thpt ;) (That being said -- I do like your output. Very nice.) --Dan

Re: mother's maiden names...

2005-07-13 Thread Dan Kaminsky
A quick question to anyone who might be in the banking industry. Why do banks not collect simple biometric information like photographs of their customers yet? Bank Of America put my photo on my ATM card back in '97. They're shipping me a new one right now, so I assume they kept it in

Re: ID theft -- so what?

2005-07-13 Thread Dan Kaminsky
This is yet more reason why I propose that you authorize transactions with public keys and not with the use of identity information. The identity information is widely available and passes through too many hands to be considered secret in any way, but a key on a token never will pass through

Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Dan Kaminsky
Jerrold Leichter wrote: | Credit card fraud has gone *down* since 1992, and is actually falling: | | 1992: $2.6B | 2003: $882M | 2004: $788M | | We're on the order of 4.7 cents on the $100. | | | The

Re: Why Blockbuster looks at your ID.

2005-07-08 Thread Dan Kaminsky
I'm think you wrong on that one. Financial cost and benefit are easily assessed on this, and I think the numbers add up. Credit card fraud costs in the hundreds of billions of dollars a year, much of which could be eliminated by a change to the sort of system I mention. That's not a small

Re: /dev/random is probably not

2005-07-05 Thread Dan Kaminsky
So the funny thing about, say, SHA-1, is if you give it less than 160 bits of data, you end up expanding into 160 bits of data, but if you give it more than 160 bits of data, you end up contracting into 160 bits of data. This works of course for any input data, entropic or not. Hash saturation?

Re: WYTM - but what if it was true?

2005-06-27 Thread Dan Kaminsky
If you are insisting that there is always a way and that, therefore, the situation is permanently hopeless such that the smart ones are getting the hell out of the Internet, I can go with that, but then we (you and I) would both be guilty of letting the best be the enemy of the good. A

Re: WYTM - but what if it was true?

2005-06-24 Thread Dan Kaminsky
Dan-- I had something much more complicated, but it comes down to. You trust Internet Explorer. Spyware considers Internet Explorer crunchy, and good with ketchup. Any questions? A little less snarkily, Spyware can trivially use what MS refers to as a Browser Helper Object

Re: Optimisation Considered Harmful

2005-06-24 Thread Dan Kaminsky
Suppose you have something that is inadvertently an oracle - it encrypts stuff from many different users preparatory to sending it out over the internet, and makes no effort to strongly authenticate a user. Have it encrypt stuff into a buffer, and on a timer event, send out the buffer. Your

Re: encrypted tapes (was Re: Papers about Algorithm hiding ?)

2005-06-08 Thread Dan Kaminsky
2) The cost in question is so small as to be unmeasurable. Yes, because key management is easy or free. Also, reliability of encrypted backups is problematic: CBC modes render a single fault destructive to the entire dataset. Counter mode is sufficiently new that it's not supported by

Re: [Clips] Citigroup Says Data Lost On 3.9 Million Customers

2005-06-07 Thread Dan Kaminsky
The likelihood of having the information compromised is very remote given the type of equipment that is required to read it, Debby Hopkins, Citigroup's chief operations and technology officer, said in an interview. Additionally, the information is not in a format that an untrained eye would even

Re: How secure is the ATA encrypted disk?

2005-05-25 Thread Dan Kaminsky
From what I've heard, datapath to the disk. I've read enough of the specs to see they're well aware a worm could brick a couple hundred thousand hard drives. --Dan James A. Donald wrote: Every ATA disk contains encryption firmware, though not all bioses allow you to use it. There is a master

Re: Secure Science issues preview of their upcoming block cipher

2005-03-28 Thread Dan Kaminsky
Have you looked at their scheme? The way to come up with a cipher provably as secure as AES-128 is to use AES-128 as part of your cipher -- but their scheme does not do anything like that. I am very skeptical about claims that they have a mathematical

Re: how to phase in new hash algorithms?

2005-03-25 Thread Dan Kaminsky
Steven M. Bellovin wrote: We all understand the need to move to better hash algorithms than SHA1. At a minimum, people should be switching to SHA256/384/512; arguably, Whirlpool is the right way to go. The problem is how to get there from here. I've been rather continually pinging people,

Re: What is to be said about pre-image resistance?

2005-03-25 Thread Dan Kaminsky
Ian, The Wang attack does nothing (yet) for second preimages. The best attack I know of against them refers is in Kelsey and Schneier's *Second Preimages on n-bit Hash Functions for Much Less than 2^n Work.* It's at: Once you cut through the

Re: comments wanted on gbde

2005-03-07 Thread Dan Kaminsky
Re, GDBE-- Some initial thoughts: I wouldn't be surprised if platters couldn't be analyzed for usage levels / magnetic degradation (Peter?). Even without a clean room, ATA is pretty rich -- anyone remember the guy who graphically plotted the spiral damage caused by a falled drive head

Re: Digital Water Marks Thieves

2005-03-03 Thread Dan Kaminsky
My complaint is against the parroting of patently absurd claims by manufacturers (or governments, for that matter) under the guide of journalism. If you need the reason to be concrete, here's one: I might buy this magic water and apply it to some of my stuff, figuring I don't have to

Re: MD5 collision in X509 certificates

2005-03-03 Thread Dan Kaminsky
Ben, Semantic gap, and I do apologize if I didn't make this clear. Wang adapts to any initial state, so you can create arbitrary content to prepend your collision set with, adapt to its output, and then append whatever you like. The temporal ordering is indeed important though; you can't

Re: MD5 collision in X509 certificates

2005-03-03 Thread Dan Kaminsky
Ben Laurie wrote: Dan Kaminsky wrote: The x.509 cert collision is a necessary consequence of the earlier discussed prime/not-prime collision. Take the previous concept, make both prime, and surround with the frame of an x.509 cert, and you get the new paper. Actually, not - an RSA

Re: Digital Water Marks Thieves

2005-02-22 Thread Dan Kaminsky
Matt Crawford wrote: On Feb 15, 2005, at 12:40, R.A. Hettinga wrote: Instant, is a property-marking fluid that, when brushed on items like office equipment or motorcycles, tags them with millions of tiny fragments, each etched with a unique SIN (SmartWater identification number) that is

Re: SHA-1 cracked

2005-02-17 Thread Dan Kaminsky
It is worth emphasizing that, as a 2^69 attack, we're not going to be getting test vectors out of Wang. After all, if she had 2^69 computation available, she wouldn't have needed to attack MD5; she could have just brute forced it in 2^64. This means the various attacks in the MD5 Someday paper

Re: Desire safety on Net? (n) code has the solution

2005-02-10 Thread Dan Kaminsky
Digital certificates can be explained as digital passports, which help in authentication of the bearer on the Internet. This also helps maintain, privacy and integrity of Net-based transactions. Digital signatures are accorded the same value as paper-based signatures of the physical world by the

Re: Simson Garfinkel analyses Skype - Open Society Institute

2005-02-07 Thread Dan Kaminsky
Actually it's not that bad: using SIP, the RTP packets can be protected by SRTP (RFC3711, with an opensource implementation from Cisco at ) SRTP...heh. Take a look at RFC3711 for a second. Specification of a key management protocol for SRTP is out of scope here.

Re: Dell to Add Security Chip to PCs

2005-02-02 Thread Dan Kaminsky
Uh, you *really* have no idea how much the black hat community is looking forward to TCPA. For example, Office is going to have core components running inside a protected environment totally immune to antivirus. Since these components are going to be managing cryptographic operations, the