Re: Question w.r.t. AES-CBC IV

2010-07-09 Thread Greg Rose
Unfortunately I can't remember the author, but there was a paper showing that an encrypted counter was secure to use as IVs for CBC mode. So encrypting a shorter random IV should also be secure. Greg. On 2010 Jun 2, at 9:36 , Ralph Holz wrote: Dear all, A colleague dropped in yesterday

Re: Possibly questionable security decisions in DNS root management

2009-10-20 Thread Greg Rose
On 2009 Oct 19, at 9:15 , Jack Lloyd wrote: On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote: DSA was (designed to be) full of covert channels. And, for that matter, one can make DSA deterministic by choosing the k values to be HMAC-SHA256(key, H(m)) - this will cause the k

Re: Certainty

2009-08-21 Thread Greg Rose
On 2009 Aug 19, at 3:28 , Paul Hoffman wrote: At 5:28 PM -0400 8/19/09, Perry E. Metzger wrote: I believe attacks on Git's use of SHA-1 would require second pre- image attacks, and I don't think anyone has demonstrated such a thing for SHA-1 at this point. None the less, I agree that it

Re: Crypto '09 rump session summary?

2009-08-19 Thread Greg Rose
Target collisions for MD5 can be calculated in seconds on a laptop, based on just a small change in the first block of input. There was also a semi-successful demo of MD5 certificate problems; you could join the special wireless network, and any https connection would be silently proxied

Re: SHA-1 collisions now at 2^{52}?

2009-04-30 Thread Greg Rose
On 2009 Apr 30, at 4:31 , Perry E. Metzger wrote: Eric Rescorla e...@networkresonance.com writes: McDonald, Hawkes and Pieprzyk claim that they have reduced the collision strength of SHA-1 to 2^{52}. Slides here: http://eurocrypt2009rump.cr.yp.to/ 837a0a8086fa6ca714249409ddfae43d.pdf

Re: Decimal encryption

2008-08-28 Thread Greg Rose
One of the earlier messages (I lost it) said that Philipp said that there was information that could be used as a nonce. In that case, I would recommend a stream cipher used to generate 133 bits at a time; if the lump of bits represents an integer in the correct range, add it modulo 10^40...

Re: Decimal encryption

2008-08-27 Thread Greg Rose
Philipp G├╝hring wrote: Hi, G'day Philipp, I am searching for symmetric encryption algorithms for decimal strings. Let's say we have various 40-digit decimal numbers: 2349823966232362361233845734628834823823 3250920019325023523623692235235728239462 0198230198519248209721383748374928601923

Re: Decimal encryption

2008-08-27 Thread Greg Rose
Hal Finney wrote: So, you don't have a 133-bit block cipher lying around? No worries, I'll sell you one ;-). Actually that is easy too. Take a trustworthy 128-bit block cipher like AES. To encrypt, do: 1. Encrypt the first 128 bits (ECB mode) 2. Encrypt the last 128 bits (also ECB mode). I

Re: Cube cryptanalysis?

2008-08-21 Thread Greg Rose
David Wagner wrote: It's a brilliant piece of research. If you weren't at CRYPTO, you missed an outstanding talk (and this wasn't the only one!). Yes, the program chair and committee did a great job. Whatsisname? Oh, yeah, David Wagner. Greg.

Re: Cube cryptanalysis?

2008-08-21 Thread Greg Rose
, Greg Rose [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Basically the method focuses on terms of the polynomial in which only one secret bit of the key appears, and many of the non-secret bits. Using chosen (or lucky) plaintexts, vary all but one of the non-secret bits

Re: Cube cryptanalysis?

2008-08-20 Thread Greg Rose
Steven M. Bellovin wrote: Greg, assorted folks noted, way back when, that Skipjack looked a lot like a stream cipher. Might it be vulnerable? Hmmm, interesting. I'm getting increasingly closer to talking through my hat, but... Skipjack has an 8x8 S-box, so by definition the maximum degree

Re: Cube cryptanalysis?

2008-08-20 Thread Greg Rose
someone wrote: what about RC4, the most important stream cipher in the Internet world? So I cornered Adi for a while. Of course he'd thought of almost everything I wanted to ask. You're not the first to think of RC4 (I confess I wasn't either). No, if you try to express shuffling as a

Re: Cube cryptanalysis?

2008-08-20 Thread Greg Rose
James Muir wrote: Greg Rose wrote: Basically, any calculation with inputs and outputs can be represented as an (insanely complicated and probably intractable) set of binary multivariate polynomials. So long as the degree of the polynomials is not too large, the method allows most

Re: Cube cryptanalysis?

2008-08-19 Thread Greg Rose
Perry E. Metzger wrote: According to Bruce Schneier... http://www.schneier.com/blog/archives/2008/08/adi_shamirs_cub.html ...Adi Shamir described a new generalized cryptanalytic attack at Crypto today. Anyone have details to share? Stunningly smart, and an excellent and understandable

Re: Cube cryptanalysis?

2008-08-19 Thread Greg Rose
Perry E. Metzger wrote: Greg Rose [EMAIL PROTECTED] writes: His example was an insanely complicated theoretical LFSR-based stream cipher; recovers keys with 2^28 (from memory, I might be a little out), with 2^40 precomputation, from only about a million output bits. They are working on applying

Re: Using a MAC in addition to symmetric encryption

2008-06-29 Thread Greg Rose
Erik Ostermueller wrote: If I exchange messages with a system and the messages are encrypted with a symmetric key, what further benefit would we get by using a MAC (Message Authentication Code) along with the message encryption? Being new to all this, using the encrytpion and MAC together seem

Re: Bletchley Park museum in financial trouble

2008-05-22 Thread Greg Rose
Perry E. Metzger wrote: A wonderful place. I hope it manages to pull through. http://resources.zdnet.co.uk/articles/imagegallery/0,102003,39415278,00.htm?r=234 There is a mechanism whereby US donors can send tax deductible donations to the trust. Go to http://www.cafamerica.org and

Re: Quantum Cryptography

2007-06-22 Thread Greg Rose
At 10:44 -0700 2007/06/22, Ali, Saqib wrote: ...whereas the key distribution systems we have aren't affected by eavesdropping unless the attacker has the ability to perform 2^128 or more operations, which he doesn't. Paul: Here you are assuming that key exchange has already taken place. But

Re: Can you keep a secret? This encrypted drive can...

2006-11-10 Thread Greg Rose
At 17:58 -0500 2006/11/08, Leichter, Jerry wrote: No, SHA-1 is holding on (by a thread) because of differences in the details of the algorithm - details it shares with SHA-256. I don't think anyone will seriously argue that if SHA-1 is shown to be as vulnerable as we now know ND5 to be, then

Re: hashes on restricted domains: random functions or permutations?

2006-10-18 Thread Greg Rose
At 19:13 -0500 2006/10/17, Travis H. wrote: So I was reading about the OTP system (based on S/Key) described in RFC 2289. It basically hashes a secret several times (with salt to individualize it) and stores the value that the correct password will hash to. Now my question is, if we restrict

Re: handling weak keys using random selection and CSPRNGs

2006-10-13 Thread Greg Rose
At 17:05 -0400 2006/10/12, Steven M. Bellovin wrote: This is a very interesting suggestion, but I suspect people need to be cautious about false positives. MP3 and JPG files will, I think, have similar entropy statistics to encrypted files; so will many compressed files. Actually, no. I have

Re: A note on vendor reaction speed to the e=3 problem

2006-09-28 Thread Greg Rose
At 14:33 -0400 2006/09/28, Leichter, Jerry wrote: | VMS has for years had a simple CHECKSUM command, which had a variant, CHECKSUM/IMAGE, applicable only to executable image files. It knew enough about the syntax of executables to skip over irrelevant metadata like link date and time. (The

Re: Exponent 3 damage spreads...

2006-09-14 Thread Greg Rose
So, there is at least one top-level CA installed in some common browsers (I checked Firefox) that uses exponent-3. It is Starfield Technologies Inc. Starfield Class 2 CA. There may well be others... I only looked far enough to determine that that was a problem. So the next question becomes,

Re: Why the exponent 3 error happened:

2006-09-14 Thread Greg Rose
At 19:02 +1000 2006/09/14, James A. Donald wrote: Suppose the padding was simply 010101010101010 ... 1010101010101 hash with all leading zeros in the hash omitted, and four zero bits showing where the actual hash begins. Then the error would never have been possible. I beg to differ. A

Re: Exponent 3 damage spreads...

2006-09-14 Thread Greg Rose
At 23:40 +1200 2006/09/14, Peter Gutmann wrote: But wait, there's more! From what I understand of the attack, all you need for it to work is for the sig.value to be a perfect cube. To do this, all you need to do is vary a few of the bytes of the hash value, which you can do via a simple

Re: Chasing the Rabbit - a cryptanalytic contest

2006-08-30 Thread Greg Rose
At 15:03 + 2006/08/28, D. J. Bernstein wrote: You left the rump session too early, Greg! What you saw was my first presentation, which was scheduled for 0 minutes, slideless, and titled ``FFT-based acoustic side-channel analysis of piano keystrokes''; Stuart wasn't even supposed to announce

Re: Chasing the Rabbit - a cryptanalytic contest

2006-08-27 Thread Greg Rose
At 15:26 +0200 2006/08/23, Erik Zenner wrote: Hi all! At the rump session of Crypto 2006, we started the chasing the Rabbit contest. Dan Bernstein was so kind as to present the slides on our behalf. The details of the contest are given below; they can also be downloaded from

Re: U. Washington Crypto Course Available Online For Free

2006-06-09 Thread Greg Rose
At 16:29 -0600 2006/06/08, John R. Black wrote: It is taught by good people, but I find it a bit strange they are all Microsoft employees. This is perhaps because U. Wash doesn't have any cryptographers. I hardly think that you can discount the skills of Josh Beneloh and Brian

Re: U. Washington Crypto Course Available Online For Free

2006-06-07 Thread Greg Rose
At 20:34 -0600 2006/06/06, John R. Black wrote: On Tue, Jun 06, 2006 at 01:57:25AM -0700, Udhay Shankar N wrote: http://it.slashdot.org/article.pl?sid=06/06/04/1311243 It is taught by good people, but I find it a bit strange they are all Microsoft employees. This is perhaps because U.

Re: is breaking RSA at least as hard as factoring or vice-versa?

2006-04-02 Thread Greg Rose
At 1:41 -0600 2006/04/02, Travis H. wrote: So I'm reading up on unconditionally secure authentication in Simmon's Contemporary Cryptology, and he points out that with RSA, given d, you could calculate e (remember, this is authentication not encryption) if you could factor n, which relates the

Re: Entropy Definition (was Re: passphrases with more than 160 bits of entropy)

2006-03-23 Thread Greg Rose
At 22:09 -0500 2006/03/22, John Denker wrote: Aram Perez wrote: * Can you add or increase entropy? Shuffling a deck of cards increases the entropy of the deck. As a minor nit, shuffling *in an unpredictable manner* adds entropy, because there is extra randomness being brought into the

Re: Symmetric ciphers as hash functions

2005-11-01 Thread Greg Rose
At 01:33 2005-11-01 -0600, Travis H. wrote: The latest hashes, such as SHA-1, gave up on Feistel. Not so... the SHA family are all unbalanced Feistel structures. Basically, for SHA-1 a complex function of 4 words and key material (in this case expanded data to be hashed) is combined with the

Re: Venona not all decrypted?

2005-10-04 Thread Greg Rose
or two. Greg. Greg RoseINTERNET: [EMAIL PROTECTED] Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766 5775 Morehouse Drivehttp://people.qualcomm.com/ggr/ San Diego, CA 92121 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081

RE: ECC patents?

2005-09-15 Thread Greg Rose
as a price setting precedent. They (NSA) did pay, and they (Certicom) did stick it in our faces. See, eg., http://www.eweek.com/article2/0,1895,1498136,00.asp . Did you miss this at the time? Greg. Greg RoseINTERNET: [EMAIL PROTECTED] Qualcomm Incorporated

Re: expanding a password into many keys

2005-06-14 Thread Greg Rose
. (*) actually each layer reduces the space of output keys slightly; not enough to matter in practice, but it is actually infinitesimally worse than just doing the hash. Greg. Greg RoseINTERNET: [EMAIL PROTECTED] Qualcomm Incorporated VOICE: +1-858-651-5733

Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

2005-06-03 Thread Greg Rose
disclosure... or not. Greg. Greg RoseINTERNET: [EMAIL PROTECTED] Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766 5775 Morehouse Drivehttp://people.qualcomm.com/ggr/ San Diego, CA 92121 232B EC8F 44C6 C853 D68F E107 E6BF

Re: SHA-1 cracked

2005-02-22 Thread Greg Rose
this kind of attack (whether they'd found it or not). We don't have a good analysis of the data-expansion part, but I'm pretty sure that it'll defeat the Wang attacks. Greg. Greg RoseINTERNET: [EMAIL PROTECTED] Qualcomm Incorporated VOICE: +1-858-651-5733 FAX

Re: SSL/TLS passive sniffing

2005-01-04 Thread Greg Rose
load for primality testing. I must be misunderstanding. Surely. Please? Greg. Greg RoseINTERNET: [EMAIL PROTECTED] Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766 5775 Morehouse Drivehttp://people.qualcomm.com/ggr/ San

RE: Bad day at the hash function factory

2004-08-24 Thread Greg Rose
I wrote: Phil Hawkes' paper on the SHA-2 round function has just been posted as Eprint number 207. It contains rather a lot of detail, unlike some of the other papers on the subject of hash function collisions. At 14:17 2004-08-23 -0400, Trei, Peter wrote: Could you possibly post a direct

Bad day at the hash function factory

2004-08-23 Thread Greg Rose
Phil Hawkes' paper on the SHA-2 round function has just been posted as Eprint number 207. It contains rather a lot of detail, unlike some of the other papers on the subject of hash function collisions. Greg. Greg RoseINTERNET: [EMAIL PROTECTED] Qualcomm

Re: MD5 collisions?

2004-08-18 Thread Greg Rose
In the light of day and less inebriated, I'd like to clarify some of what I wrote last night, and maybe expand a bit. My original account wasn't what I'd like to think of as a record for posterity. Greg. At 13:11 2004-08-18 +1000, Greg Rose wrote: Xiaoyun Wang was almost unintelligible

Re: MD5 collisions?

2004-08-18 Thread Greg Rose
At 00:49 2004-08-19 +1000, Greg Rose wrote: There has been criticism about the Wang et. al paper that it doesn't explain how they get the collisions. That isn't right. Note that from the incorrect paper to the corrected one, the delta values didn't change. Basically, if you throw random numbers

RE: MD5 collisions?

2004-08-18 Thread Greg Rose
is really message M and a random delta). But I could also be mistaken on this. Greg. Greg RoseINTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr

Re: MD5 collisions?

2004-08-17 Thread Greg Rose
- The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] Greg RoseINTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road, http

Re: SHA-1 rumors

2004-08-16 Thread Greg Rose
about it, depending which version of the story you've heard. Since he works for the German NSA-equivalent, I guess he would take this seriously. Greg. Greg RoseINTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199

Re: EZ Pass and the fast lane ....

2004-07-10 Thread Greg Rose
incentive does a miscreant have to reprogram hundreds or thousands of other cars??? Until recently, when viruses and worms started to be used to assist spamming, what incentive did a miscreant have to invade hundreds or thousands of computers? Greg. Greg Rose

Re: BBC story on Iran codes

2004-06-19 Thread Greg Rose
At 15:41 2004-06-19 -0400, Perry E. Metzger wrote: http://news.bbc.co.uk/1/hi/technology/3804895.stm No real new info, but some good background. Several familiar names, such as Ross Anderson, are interviewed. Gee, a pity they can't calculate 2^128 correctly. Greg. Greg Rose

Re: Do Cryptographers burn?

2004-04-03 Thread Greg Rose
, and the house of cards would fall down. Therefore there is no house of cards. Greg. Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road,http

Re: I don't know PAIN...

2003-12-22 Thread Greg Rose
, indicating it is not widespread. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Australia

Re: Open Source Embedded SSL - Export Questions

2003-11-27 Thread Greg Rose
, and there are block ciphers (such as FEAL, same vintage as RC4) that aren't even vaguely secure. Greg. Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road,http

Re: Literature about Merkle hash tries?

2003-09-30 Thread Greg Rose
dbm uses essentially this philosophy, but the tree is not binary; rather each node stores up to one disk block's worth of pointers. Nodes split when they get too full. When the point is to handle a lot of data, this makes much more sense. Hope that helps, Greg. Greg Rose

Re: A quick question...

2003-09-28 Thread Greg Rose
. Adding (and checking) correct padding (eg. OAEP or PSS, see the PKCS standards) makes it extremely unlikely that there will be a cube root for the attack to work on. Others may want to correct me or elaborate further, but I think that's correct. regards, Greg. Greg Rose

Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Greg Rose
this attack is not going to cost much more than a cellphone (without subsidies). Patenting the attack prevents the production of the radio shack (tm) gsm scanner, so that it at least requires serious attackers, not idle retirees or jealous teenagers. Greg. Greg Rose

Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Greg Rose
compromised by this attack. Greg. Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/ Gladesville NSW 2111232B EC8F 44C6

Crypto 2003

2003-07-02 Thread Greg Rose
) Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/ Gladesville NSW 2111232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C