I think that any of OCB, CCM, or EAX are preferable from a security
standpoint, but none of them parallelize as well. If you want to do
a lot of encrypted and authenticated high-speed link encryption,
well, there is likely no other answer. It's GCM or nothing.
OCB parallelizes very well in
On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote:
a) The very reference you give says that to be equivalent to 128
bits symmetric, you'd need a 3072 bit RSA key - but they require a
2048 bit key. And the same reference says that to be equivalent to
256 bits symmetric, you need
On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote:
Right, because the problem with commercial PKI is all those attackers who are
factoring 1024-bit moduli, and apart from that every other bit of it works
_If_ Mozilla and the other browser vendors actually go through
On Wed, Jul 28, 2010 at 08:48:14AM -0400, Steven Bellovin wrote:
There seem to be at least three different questions here: bad code
(i.e., that Windows doesn't check the revocation status properly),
the UI issue, and the conceptual question of what should replace the
On Wed, Jul 28, 2010 at 11:04:30AM -0400, Jonathan Thornburg wrote:
On Tue, 27 Jul 2010, Jack Lloyd suggested:
http://www.crashie.com/ - if you're feeling malicious, just include
user will figure it out. (Or maybe
On Tue, Jul 27, 2010 at 06:07:02PM -0600, Paul Tiemann wrote:
IE6-is-dead parties. Could some intelligent web designers come up
with a few snippets of code in the various web flavors (PHP, ASP,
JSP, etc) for people to easily install and include on their sites
(as part of a movement to
On Mon, Jul 12, 2010 at 12:22:51PM -0400, Perry E. Metzger wrote:
BTW, let me note that if Intel wanted to gimmick their chips to make
them untrustworthy, there is very little you could do about it. The
literature makes it clear at this point that short of carefully
tearing apart and
On Wed, Nov 11, 2009 at 10:03:45AM +0800, Sandy Harris wrote:
C(x) = H1(H1(x) || H2(x))
This requires two hash(x) operations. A naive implementation needs
two passes through the data and avoiding that does not appear to
be trivial. This is not ideal since you seem very concerned about
On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote:
DSA was (designed to be) full of covert channels.
True, but TCP and UDP are also full of covert channels. And if you are
worried that your signing software or hardware is compromised and
leaking key bits, you have larger problems, no
On Wed, Oct 14, 2009 at 10:43:48PM -0400, Jerry Leichter wrote:
If the constraints elsewhere in the system limit the number of bits of
signature you can transfer, you're stuck. Presumably over time you'd
want to go to a more bit-efficient signature scheme, perhaps using
On Wed, Sep 02, 2009 at 10:58:03AM +0530, priya yelgar wrote:
I have implemented RNG using AES algorithm in CTR mode.
To test my implementation I needed some test vectors.
How ever I searched on the CSRC site, but found the test vectors for AES_CBC
not for AES CTR.
On Wed, Aug 19, 2009 at 09:28:45AM -0600, Zooko Wilcox-O'Hearn wrote:
[*] Linus Torvalds got the idea of a Cryptographic Hash Function
Directed Acyclic Graph structure from an earlier distributed revision
control tool named Monotone. He didn't go out of his way to give
credit to Monotone,
It seems the TI-83+ operating system is protected using some form of
code signing scheme using a 512 bit RSA key. That key has now been
Which apparently will allow custom operating systems to run on the
While this certainly is
A report summarizing NIST's selection of these candidates will be
forthcoming. A year is allocated for the public review of these
algorithms, and the Second SHA-3 Candidate Conference is being planned
for August 23-24, 2010,
On Tue, Jul 21, 2009 at 07:15:02PM -0500, Nicolas Williams wrote:
I've an application that is performance sensitive, which can re-key very
often (say, every 15 minutes, or more often still), and where no MAC is
accepted after 2 key changes. In one case the entity generating a MAC
is also the
On Thu, Jul 02, 2009 at 09:29:30AM +1000, silky wrote:
A potentially amusing/silly solution would be to have one strong key
that you change monthly, and then, encrypt *that* key, with a method
that will be brute-forceable in 2 months and make it public. As long
as you are constantly changing
On Tue, Jun 16, 2009 at 09:31:36AM -0700, Hal Finney wrote:
Udhay Shankar N quotes wikipedia:
The question was finally resolved in 2009 with the development of the
first true fully homomorphic cryptosystem. The scheme, constructed by
Craig Gentry, employs lattice based encryption and allows
Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic gave a talk at
the Eurocrypt rump session, 'Distinguisher and Related-Key Attack on
the Full AES-256', with the full paper accepted to Crypto.
Slides from Eurocrypt are here:
On Thu, Feb 12, 2009 at 10:49:37AM -0700, s...@acw.com wrote:
If anybody can alter, revoke or reissue a certificate then I agree it is
common property to which attaches no meaningful notion of property rights.
If on the other hand only certain people can alter, revoke or reissue a
On Sun, Dec 28, 2008 at 08:12:09PM -0500, Perry E. Metzger wrote:
Semiconductor laser based RNG with rates in the gigabits per second.
My take: neat, but not as important as simply including a decent
hardware RNG (even a slow one) in all PC
On Tue, Dec 30, 2008 at 11:45:27AM -0500, Steven M. Bellovin wrote:
Of course, every time a manufacturer has tried it, assorted people
(including many on this list) complain that it's been sabotaged by the
NSA or by alien space bats or some such.
Well, maybe it has. Or maybe it was just not
On Mon, Oct 06, 2008 at 05:51:50PM +1300, Peter Gutmann wrote:
For the past several years I've been making a point of asking users of crypto
on embedded systems (which would be particularly good targets for side-channel
attacks, particularly ones that provide content-protection capabilities)
On Fri, Oct 24, 2008 at 10:23:07AM -0500, Thierry Moreau wrote:
Do you really trust that no single source of entropy can have knowledge of
the other source's output, so it can surreptitiously correlate its own?
I.e, you are are also assuming that these sources are *independent*.
I do not
On Fri, Oct 24, 2008 at 03:20:24PM -0700, John Denker wrote:
On 10/24/2008 01:12 PM, Jack Lloyd wrote:
is a very different statement from saying that
lacking such an attacker, you can safely assume your 'pools of
entropy' (to quote the original question) are independent
On Wed, Jul 09, 2008 at 05:36:02PM +0100, Ben Laurie wrote:
Paul Hoffman wrote:
First off, big props to Dan for getting this problem fixed in a
responsible manner. If there were widespread real attacks first, it would
take forever to get fixes out into the field.
However, we in the security
On Wed, Jul 02, 2008 at 07:25:36AM -0400, Perry E. Metzger wrote:
[EMAIL PROTECTED] (Peter Gutmann) writes:
(Actually even that doesn't really explain something like IKE... :-).
Having been peripherally involved in the causation change for IKE, let
me confess that it was caused by human
On Fri, Jun 27, 2008 at 12:19:04PM -0700, zooko wrote:
and probably other commodity products). Likewise newfangled ciphers like
Salsa20 and EnRUPT will be considered by me to be faster than AES (because
they are faster in software) rather than slower (because AES might be built
On Tue, May 06, 2008 at 03:40:46PM +, Steven M. Bellovin wrote:
In particular, with TLS the session key can be negotiated between
two user contexts; with IPsec/IKE, it's negotiated between a user
and a system. (Yes, I'm oversimplifying here.)
Is there any reason (in principle) that
would advise you
to remember that crypto does not exist in a vacuum, and should help,
not hinder, the overall security of a system.
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
On Mon, Apr 28, 2008 at 10:03:38PM -0400, Victor Duchovni wrote:
On Mon, Apr 28, 2008 at 03:12:31PM -0700, Ryan Phillips wrote:
What are people's opinions on corporations using this tactic? I can't
think of a great way of alerting the user, but I would expect a pretty
reasonable level of
On Wed, Apr 23, 2008 at 08:20:27AM -0400, Perry E. Metzger wrote:
There are a variety of issues. Smart cards have limited capacity. Many
key agreement protocols yield only limited amounts of key
material. I'll leave it to others to describe why a rational engineer
might use fewer key bits,
On Fri, Apr 11, 2008 at 04:30:47PM +0200, COMINT wrote:
Quick system scenario:
You have packet [A].
It gets encrypted using an AES algo in a particular mode and we are
left with [zA].
More data [B] is added to that encrypted packet.
Now I have [zA]+[B] in one packet and I re-encrypt
On Tue, Mar 18, 2008 at 09:46:45AM -0700, Jon Callas wrote:
What operates like a block cipher on a large chunk?
Tweakable modes like EME.
Or as a non-patented alternative one could use the Bear/Lion
constructions , which can encrypt arbitrary size blocks at
reasonably good speeds (depending
On Thu, Feb 21, 2008 at 12:10:33PM -0500, Perry E. Metzger wrote:
Ed Felten blogs on his latest research:
Today eight colleagues and I are releasing a significant new
research result. We show that disk encryption, the standard
On Wed, Dec 12, 2007 at 05:27:38PM -0500, Thierry Moreau wrote:
As a consequence of alleged consensus above, my understanding of the C
standard would prevail and (memset)(?,0,?) would refer to an external
linkage function, which would guarantee (to the sterngth of the above
On Thu, Oct 25, 2007 at 09:16:21PM -0700, Alex Pankratov wrote:
Assuming the password is an English word or a phrase, and the
secret is truly random, does it mean that the password needs
to be 3100+ characters in size in order to provide a proper
degree of protection to the value ?
On Thu, Oct 04, 2007 at 06:48:49PM -0400, Leichter, Jerry wrote:
Prat Moghe, founder and CTO of Tizor Systems Inc., a Maynard,
Mass.-based security firm, called the NRF's demand political posturing
and said it would do little to improve retail security anytime soon.
I think a lot of this is
On Fri, Aug 17, 2007 at 05:21:16PM -0700, Alex Alten wrote:
Agreed, for most requirements. Sometimes one may need to keep keys
in trusted hardware only. The only real fly-in-the-ointment is that current
hash algorithms (SHA-1, SHA-2, etc.) don't scale across multiple CPU
cores (assuming you
On Fri, May 11, 2007 at 04:42:47PM +0200, Ian G wrote:
They also involve some elements of sound and cryptography,
said Tom Marble, Sun's OpenJDK ambassador. We have already
contacted the copyright holders. We were unable to negotiate
release under an open-source license, Marble said.
On Wed, Apr 04, 2007 at 05:51:27PM +0100, Dave Korn wrote:
Can anyone seriously imagine countries like Iran or China signing up to a
system that places complete control, surveillance and falsification
capabilities in the hands of the US' military intelligence?
How is this any different from
On Fri, Sep 15, 2006 at 09:48:16AM -0400, David Shaw wrote:
GPG was not vulnerable, so no fix was issued. Incidentally, GPG does
not attempt to parse the PKCS/ASN.1 data at all. Instead, it
generates a new structure during signature verification and compares
it to the original.
On Sun, Jul 02, 2006 at 03:25:09AM -0500, Travis H. wrote:
Going over old emails.
On 10/12/05, Jack Lloyd [EMAIL PROTECTED] wrote:
I prefer a multi-stage design, as described by various people smarter than
source(s) -- mixer -- pool -- extractor -- X9.31
Did you really mean
On Wed, Mar 22, 2006 at 03:29:07PM -0800, Aram Perez wrote:
* How do you measure entropy? I was under the (false) impression that
Shannon gave a formula that measured the entropy of a message (or
He did give a formula for the entropy of a source; however the
On Tue, Feb 14, 2006 at 03:24:09AM +1300, Peter Gutmann wrote:
1. There are a great many special-case situations where no published protocol
fits. As the author of a crypto toolkit, I could give you a list as long
as your arm of user situations where no existing protocol can be applied
On Fri, Feb 10, 2006 at 07:21:05PM +1300, Peter Gutmann wrote:
Well, that's the exact problem that I pointed out in my previous message - in
order to get this right, people have to read the mind of the paper author to
divine their intent. Since the consumers of the material in the paper
On Thu, Feb 09, 2006 at 05:01:05PM +1300, Peter Gutmann wrote:
So you can use encrypt-then-MAC, but you'd better be *very*
careful how you apply it, and MAC at least some of the additional non-message-
data components as well.
Looking at the definitions in the paper, I think it is pretty
On Thu, Jan 26, 2006 at 05:30:36AM -0600, Travis H. wrote:
Excuse me? This would in fact be a _perfect_ way to distribute key
material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn,
gaim-encryption etc. etc. You see, he's right in that the key
distribution problem is the
Some relevant and recent data: in some tests I ran this weekend (GMP 4.1.2,
OpenSSL 0.9.8a, Athlon/gcc/Linux) RSA operations using GMP were somewhat faster
than ones using OpenSSL even when blinding was used with both (typical
performance boost was 15-20%).
I'm assume both of which are needed
On Tue, Jan 03, 2006 at 10:10:50PM +, Ben Laurie wrote:
Yes, you are - there's the cache attack, which requires the attacker to
have an account on the same machine. I guess I shouldn't have called it
constant time, since its really constant memory access that defends
On Tue, Dec 27, 2005 at 02:28:07PM +, Ben Laurie wrote:
Apparently this rather depends on platform and compiler options. I am
reliably informed that GMP is not always faster.
For those that really care it'd be cool if someone did a careful
comparison. It would also be interesting to
Does anyone know of any 'standard' [*] ways of encrypting private keys in the
usual PKCS #8 format without using password-based encryption? It is obviously
not hard to do, as you can stick whatever you like into the encryptionAlgorithm
field, so it would be easy to specify an plain encryption
On Fri, Dec 16, 2005 at 05:41:48PM +, Ben Laurie wrote:
No, OpenSSL is self-contained. There is, IIRC, an engine that uses GMP
if you want, but its entirely optional; OpenSSL has its own bignum
implementation that's just as good.
Last I checked, public key operations in OpenSSL were
Define fast - KASUMI is based heavily on MISTY1. In fact, during a fast scan of
the KASUMI spec, I couldn't see anywhere obvious where it different from MISTY1
at all. As far as I know, I'm the only person who has even tried writing fast
code for MISTY1, and the result is quite dog-slow compared
On Mon, Dec 12, 2005 at 12:20:26AM -0600, Travis H. wrote:
2) While CTR mode with a random key is sufficient for creating a
permutation of N-bit blocks for a fixed N, is there a general-purpose
way to create a N-bit permutation, where N is a variable? How about
picking a cryptographically
The basic scenario I'm looking at is encrypting some data using a
password-derived key (using PBKDF2 with sane salt sizes and iteration
counts). I am not sure if what I'm doing is sound practice or just pointless
overengineering and wanted to get a sanity check.
My inclination is to use the
On Thu, Nov 17, 2005 at 12:10:53PM -0500, John Kelsey wrote:
c. Maybe they just got it wrong. SHA0 and SHA1 demonstrate that this
is all too possible. (It's quite plausible to me that they have very
good tools for analyzing block ciphers, but that they aren't or
weren't sure how to best
On Thu, Nov 10, 2005 at 10:33:18AM +, Terence Joseph wrote:
The Pseudorandom Number Generator specified in Ansi X9.17 used to be one of
the best PRNGs available if I am correct. I was just wondering if this is
still considered to be the case? Is it widely used in practical
On Wed, Oct 26, 2005 at 07:47:22AM -0700, Dirk-Willem van Gulik wrote:
On Mon, 24 Oct 2005, cyphrpunk wrote:
Is it possible that Skype doesn't use RSA encryption? Or if they do,
do they do it without using any padding, and is that safe?
You may want to read the report itself:
On Tue, Oct 18, 2005 at 12:18:57AM -0500, Travis H. wrote:
source(s) -- mixer -- pool -- extractor -- X9.31
Where can I find out more about the design choices for these stages?
Peter Gutmann has several good papers on RNG design, as have some folks
currently or formerly associated with
On Wed, Oct 12, 2005 at 04:49:43AM -0500, Travis H. wrote:
I am thinking of making a userland entropy distribution system, so
that expensive HWRNGs may be shared securely amongst several machines.
We already have enough fast,
No real details, just collisions for 80 round SHA-0 (which I just confirmed)
and 58 round SHA-1 (which I haven't bothered with), plus the now famous work
factor estimate of 2^69 for full SHA-1.
As usual, Technical details will be provided in a
On Mon, Jun 14, 2004 at 11:31:23AM +, [EMAIL PROTECTED] wrote:
Ben Laurie wrote:
In OpenSSL we overwrite with random gunk for this reason.
What? No compiler is smart enough to say, The program
sets these variables but they are never referenced again.
I'll save time and not set them.
Does anyone know of an SSL acceleration card that actually works under
Linux/*BSD? I've been looking at vendor web pages (AEP, Rainbow, etc), and
while they all claim to support Linux, Googling around all I find are people
saying Where can I get drivers? The ones vendor shipped only work on
This was just something that popped into my head a while back, and I was
wondering if this works like I think it does. And who came up with it
before me, because it's was too obvious. It's just that I've never heard of
something alone these lines before.
Basically, you share some secret with
Mail list logo