Adam,
I guess I should preface this by saying I am speaking only for myself. That's
always true here--it's why I'm using my personal email address. But in
particular, right now, I'm not *allowed* to work. But just speaking my own
personal take on things
We go pretty *overwhelming*
On Oct 12, 2013, at 6:51 AM, Ben Laurie b...@links.org wrote:
...
AIUI, you're trying to make it so that only active attacks work on the
combined protocol, whereas passive attacks might work on the outer
protocol. In order to achieve this, you assume that your proposed
inner protocol is not
On Oct 11, 2013, at 1:48 AM, ianG i...@iang.org wrote:
...
What's your goal? I would say you could do this if the goal was ultimate
security. But for most purposes this is overkill (and I'd include online
banking, etc, in that).
We were talking about how hard it is to solve crypto
This is a job for a key derivation function or a cryptographic prng. I would
use CTR-DRBG from 800-90 with AES256. Or the extract-then-expand KDF based on
HMAC-SHA512.
--John
___
The cryptography mailing list
cryptography@metzdowd.com
The problem with offensive cyberwarfare is that, given the imbalance between
attackers and defenders and the expanding use of computer controls in all sorts
of systems, a cyber war between two advanced countries will not decide anything
militarily, but will leave both combattants much poorer
Just thinking out loud
The administrative complexity of a cryptosystem is overwhelmingly in key
management and identity management and all the rest of that stuff. So imagine
that we have a widely-used inner-level protocol that can use strong crypto, but
also requires no external key
Having a public bulletin board of posted emails, plus a protocol for
anonymously finding the ones your key can decrypt, seems like a pretty decent
architecture for prism-proof email. The tricky bit of crypto is in making
access to the bulletin board both efficient and private.
--John
More random thoughts:
The minimal inner protocol would be something like this:
Using AES-CCM with a tag size of 32 bits, IVs constructed based on an implicit
counter, and an AES-CMAC-based KDF, we do the following:
Sender:
a. Generate random 128 bit value R
b. Use the KDF to compute
On Oct 10, 2013, at 5:15 PM, Richard Outerbridge ou...@sympatico.ca wrote:
How does this prevent MITM? Where does G come from?
I'm assuming G is a systemwide shared parameter. It doesn't prevent
mitm--remember the idea here is to make a fairly lightweight protocol to run
*inside* another
On Oct 10, 2013, at 5:20 PM, Ray Dillinger b...@sonic.net wrote:
On 10/10/2013 12:54 PM, John Kelsey wrote:
Having a public bulletin board of posted emails, plus a protocol
for anonymously finding the ones your key can decrypt, seems
like a pretty decent architecture for prism-proof email
On Oct 8, 2013, at 4:46 PM, Bill Frantz fra...@pwpconsult.com wrote:
I think the situation is much more serious than this comment makes it appear.
As professionals, we have an obligation to share our knowledge of the limits
of our technology with the people who are depending on it. We know
On Oct 6, 2013, at 6:29 PM, Jerry Leichter leich...@lrw.com wrote:
On Oct 5, 2013, at 6:12 PM, Ben Laurie wrote:
I have to take issue with this:
The security is not reduced by adding these suffixes, as this is only
restricting the input space compared to the original Keccak. If there
is no
Alongside Phillip's comments, I'll just point out that assassination of key
people is a tactic that the US and Israel probably don't have any particular
advantages in. It isn't in our interests to encourage a worldwide tacit
acceptance of that stuff.
I suspect a lot of the broad principles
One thing that seems clear to me: When you talk about algorithm flexibility in
a protocol or product, most people think you are talking about the ability to
add algorithms. Really, you are talking more about the ability to *remove*
algorithms. We still have stuff using MD5 and RC4 (and we'll
Most applications of crypto shouldn't care much about performance of the
symmetric crypto, as that's never the thing that matters for slowing things
down. But performance continues to matter in competitions and algorithm
selection for at least three reasons:
a. We can measure performance,
On Oct 4, 2013, at 10:10 AM, Phillip Hallam-Baker hal...@gmail.com wrote:
...
Dobertin demonstrated a birthday attack on MD5 back in 1995 but it had no
impact on the security of certificates issued using MD5 until the attack was
dramatically improved and the second pre-image attack became
http://keccak.noekeon.org/yes_this_is_keccak.html
--John___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On Oct 1, 2013, at 5:58 PM, Peter Fairbrother zenadsl6...@zen.co.uk wrote:
AES, the latest-and-greatest block cipher, comes in two main forms - AES-128
and AES-256.
AES-256 is supposed to have a brute force work factor of 2^256 - but we find
that in fact it actually has a very similar
On Oct 1, 2013, at 12:51 PM, Adam Back a...@cypherspace.org wrote:
[Discussing how NSA might have generated weak curves via trying many choices
till they hit a weak-curve class that only they knew how to solve.]
...
But the more interesting question I was referring to is a trapdoor weakness
Has anyone tried to systematically look at what has led to previous crypto
failures? That would inform us about where we need to be adding armor plate.
My impression (this may be the availability heuristic at work) is that:
a. Most attacks come from protocol or mode failures, not so much
On Oct 2, 2013, at 9:54 AM, Paul Crowley p...@ciphergoth.org wrote:
On 30 September 2013 23:35, John Kelsey crypto@gmail.com wrote:
If there is a weak curve class of greater than about 2^{80} that NSA knew
about 15 years ago and were sure nobody were ever going to find that weak
curve
On Oct 1, 2013, at 4:48 AM, ianG i...@iang.org wrote:
...
This could be the uninformed opinion over unexpected changes. It could also
be the truth. How then to differentiate?
Do we need to adjust the competition process for a tweak phase?
Let's whiteboard. Once The One is chosen, have
GOST was specified with S boxes that could be different for different
applications, and you could choose s boxes to make GOST quite weak. So that's
one example.
--John
___
The cryptography mailing list
cryptography@metzdowd.com
Having read the mail you linked to, it doesn't say the curves weren't generated
according to the claimed procedure. Instead, it repeats Dan Bernstein's
comment that the seed looks random, and that this would have allowed NSA to
generate lots of curves till they found a bad one.
it looks to
If you want to understand what's going on wrt SHA3, you might want to look at
the nist website, where we have all the slide presentations we have been giving
over the last six months detailing our plans. There is a lively discussion
going on at the hash forum on the topic.
This doesn't make
On Sep 25, 2013, at 2:52 AM, james hughes hugh...@mac.com wrote:
Many, if not all, service providers can provide the government valuable
information regarding their customers. This is not limited to internet
service providers. It includes banks, health care providers, insurance
companies,
On Sep 18, 2013, at 3:27 PM, Kent Borg kentb...@borg.org wrote:
You foreigners actually have a really big vote here. All those US internet
companies want your business, and as you get no protections, in the current
scheme, not even lip-service, you should look for alternatives. As you do,
On Sep 19, 2013, at 5:21 PM, Phillip Hallam-Baker hal...@gmail.com wrote:
Criminals circumvent the WebPKI rather than trying to defeat it. If they did
start breaking the WebPKI then we can change it and do something different.
If criminals circumvent the PKI to steal credit card numbers,
On Sep 17, 2013, at 11:41 AM, Perry E. Metzger pe...@piermont.com wrote:
I confess I'm not sure what the current state of research is on MAC
then Encrypt vs. Encrypt then MAC -- you may want to check on that.
Encrypt then MAC has a couple of big advantages centering around the idea that
you
For hash functions, MACs, and signature schemes, simply concatenating
hashes/MACs/signatures gives you at least the security of the stronger one.
Joux multicollisions simply tell us that concatenating two or more hashes of
the same size doesn't improve their resistance to brute force collsion
Arggh! Of course, this superencryption wouldn't help against the CBC padding
attacks, because the attacker would learn plaintext without bothering with the
other layers of encryption. The only way to solve that is to preprocess the
plaintext in some way that takes the attacker's power to
Your first two categories are talking about the distribution of entropy--we
assume some unpredictability exists, and we want to quantify it in terms of
bits of entropy per bit of output. That's a useful distinction to make, and as
you said, if you can get even a little entropy per bit and know
On Sep 10, 2013, at 3:56 PM, Bill Stewart bill.stew...@pobox.com wrote:
One point which has been mentioned, but perhaps not emphasised enough - if
NSA have a secret backdoor into the main NIST ECC curves, then even if the
fact of the backdoor was exposed - the method is pretty well known -
Switching from AES to one-time pads to solve your practical cryptanalysis
problems is silly. It replaces a tractable algorithm selection problem with a
godawful key management problem, when key management is almost certainly the
practical weakness in any broken system designed by non-idiots.
On Sep 9, 2013, at 6:32 PM, Perry E. Metzger pe...@piermont.com wrote:
First, David, thank you for participating in this discussion.
To orient people, we're talking about whether Intel's on-chip
hardware RNGs should allow programmers access to the raw HRNG output,
both for validation
Your cryptosystem should be designed with the assumption that an attacker will
record all old ciphertexts and try to break it later. The whole point of
encryption is to make that attack not scary. We can never rule out future
attacks, or secret ones now. But we can move away from marginal
It depends on the encryption scheme used. For a stream cipher (including AES
in counter or OFB mode), this yields the keystream. If someone screws up and
uses the same key and IV twice, you can use knowledge of the first plaintext to
learn the second. For other AES chaining modes, it's less
On Sep 7, 2013, at 3:25 PM, Christian Huitema huit...@huitema.net wrote:
Another argument is “minimal dependency.” If you use public key, you depend
on both the public key algorithm, to establish the key, and the symmetric key
algorithm, to protect the session. If you just use symmetric
There are basically two ways your RNG can be cooked:
a. It generates predictable values. Any good cryptographic PRNG will do this
if seeded by an attacker. Any crypto PRNG seeded with too little entropy can
also do this.
b. It leaks its internal state in its output in some encrypted way.
Let's suppose I design a block cipher such that, with a randomly generated key
and 10,000 known plaintexts, I can recover that key. For this to be useful in
a world with relatively sophisticated cryptanalysts, I must have confidence
that it is extremely hard to find my trapdoor, even when you
On Sep 8, 2013, at 3:55 PM, Thor Lancelot Simon t...@rek.tjls.com wrote:
...
I also wonder -- again, not entirely my own idea, my whiteboard partner
can speak up for himself if he wants to -- about whether we're going
to make ourselves better or worse off by rushing to the safety of
PFS
I don't see what problem would actually be solved by dropping public key crypto
in favor of symmetric only designs. I mean, if the problem is that all public
key systems are broken, then yeah, we will have to do something else. But if
the problem is bad key generation or bad implementations,
Sent from my iPad
On Sep 3, 2013, at 6:06 PM, Jerry Leichter leich...@lrw.com wrote:
On Sep 3, 2013, at 3:16 PM, Faré fah...@gmail.com wrote:
Can't you trivially transform a hash into a PRNG, a PRNG into a
cypher, and vice versa?
No.
hash-PRNG: append blocks that are digest (seed ++
...
Let H(X) = SHA-512(X) || SHA-512(X)
where '||' is concatenation. Assuming SHA-512 is a cryptographically secure
hash H trivially is as well. (Nothing in the definition of a cryptographic
hash function says anything about minimality.) But H(X) is clearly not
useful for producing a
First, I don't think it has anything to do with Dual EC DRGB. Who uses it?
My impression is that most of the encryption that fits what's in the article is
TLS/SSL. That is what secures most encrypted content going online. The easy
way to compromise that in a passive attack is to compromise
The backup access problem isn't just a crypto problem, it's a social/legal
problem. There ultimately needs to be some outside mechanism for using social
or legal means to ensure that, say, my kids can get access to at least some of
my encrypted files after I drop dead or land in the hospital
What I think we are worried about here are very widespread automated attacks,
and they're passive (data is collected and then attacks are run offline). All
that constrains what attacks make sense in this context. You need attacks that
you can run in a reasonable time, with minimal
If I had to bet, I'd bet on bad rngs as the most likely source of a
breakthrough in decrypting lots of encrypted traffic from different sources.
--John
___
The cryptography mailing list
cryptography@metzdowd.com
I think it makes sense to separate out the user-level view of what happens (the
first five or six points) from how it's implemented (the last few points, and
any other implementation discussions). In order for security to be usable, the
user needs to know what he is being promised by the
From: Travis H. [EMAIL PROTECTED]
Sent: Jul 14, 2006 11:22 PM
To: David Mercer [EMAIL PROTECTED]
Cc: cryptography@metzdowd.com
Subject: Re: Interesting bit of a quote
...
The problem with this is determining if the media has been replaced.
Absent other protections, one could simply write a new
retention which
are applied to DREs; the procedures make lots of sense for paper
ballots, but no sense at all for DREs. I wonder how many other areas
of computer and more general security have this same kind of issue.
--John Kelsey, NIST
Guys,
Some of my co-workers here at NIST got an email macro virus which
appeared to be targeted to cryptographers. It appeared to be
addressed to Moti Yung, and come from Lawrie Brown and Henri Gilbert
(though that name was misspelled, maybe a transcription error from an
alternate character
extends the best attack on
FEAL to 64 rounds, that will be cool, but nobody will be scrambling to
replace FEAL in their products and protocols.)
Vlastimil Klima
--John Kelsey, NIST
-
The Cryptography Mailing List
Unsubscribe
, either directly
or via sampling the microphone like the Turbid design does, you're
probably on much firmer ground.)
--John Kelsey, NIST
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
Zenner Phone: +45 39 17 96 06Cryptico A/S
Chief Cryptographer Mobile: +45 60 77 95 41Fruebjergvej 3
[EMAIL PROTECTED] www.cryptico.com DK 2100 Copenhagen
--John Kelsey, NIST
-
The Cryptography Mailing
From: Jack Lloyd [EMAIL PROTECTED]
Sent: Mar 22, 2006 11:30 PM
To: cryptography@metzdowd.com
Subject: Re: Entropy Definition (was Re: passphrases with more than 160 bits
of entropy)
...
As an aside, this whole discussion is confused by the fact that there
are a bunch of different domains in
From: John Denker [EMAIL PROTECTED]
Sent: Mar 23, 2006 1:44 PM
To: John Kelsey [EMAIL PROTECTED], cryptography@metzdowd.com
Subject: Re: Entropy Definition (was Re: passphrases with more than 160 bits
of entropy)
...
With some slight fiddling to get the normalization right, 1/2
raised
to
initialize a PRNG based on running AES-128 in counter mode?
David.
--John Kelsey, NIST
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
., but
eavesdropping and a lot of impersonation and spam and phishing would
get much harder.
Peter
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
is too important to be left to chance.
-- Robert R. Coveyou -- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe
such a clever
trick.
-Jack
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
of parts of k or parts of x.
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
!
-- Jerry
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
From: cyphrpunk [EMAIL PROTECTED]
Sent: Oct 27, 2005 9:15 PM
To: James A. Donald [EMAIL PROTECTED]
Cc: cryptography@metzdowd.com, [EMAIL PROTECTED]
Subject: Re: On Digital Cash-like Payment Systems
On 10/26/05, James A. Donald [EMAIL PROTECTED] wrote:
How does one inflate a key?
Just make it
both
kinds of payment system are susceptible to the same broad classes of
attacks (bank misbehavior (for a short time), someone finding a
software bug, someone breaking a crypto algorithm or protocol). What
makes one more secure than the other?
...
Cheers,
RAH
--John Kelsey
From: cyphrpunk [EMAIL PROTECTED]
Sent: Oct 24, 2005 5:58 PM
To: John Kelsey [EMAIL PROTECTED]
Subject: Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like
Payment Systems
...
Digital wallets will require real security in user PCs. Still I don't
see why we don't already have
From: rbg9000 [EMAIL PROTECTED]
Sent: Sep 8, 2005 3:01 PM
To: cryptography@metzdowd.com
Subject: multiple keys to 1
Sorry, I really don't know much about encryption, and my
google searches haven't turned up much. I wondering if it's
possible to reduce a set of symmetric keys (aes, twofish,
technical support, and I got this
really encouraging reply
/
Dear John Kelsey,
Thank you for contacting us.
I understand that you are having problems viewing Webmail and that it send out
an
error on SSL certificate.
I suggest that you try lowering the security settings of your Internet
analytically, though
that gets more complicated), I can also break most systems
that use a hash function to prove prior knowledge. I gave a
rump session talk on this a few days ago at Crypto.
--John Kelsey, NIST, August 2005
From: Peter Gutmann [EMAIL PROTECTED]
Sent: Aug 11, 2005 7:42 AM
To: cryptography@metzdowd.com
Subject: How much for a DoD X.509 certificate?
$25 and a bit of marijuana, apparently. See:
http://www.wjla.com/news/stories/0305/210558.html
http://www.wjla.com/news/stories/0105/200474.html
sequentially does eliminate the simple
length-extension property, but there are variations on it
that can still be used--that's why Joux multicollisions can
be found even when you process the message twice
sequentially.
Are there other ways I'm not seeing to do this?
...
Cheers - Bill
--John Kelsey
,
and what makes me obey that rule? or what would happen if
I didn't do such and so?
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending
security on one part of the system while ignoring the bigger
vulnerabilities. But this is a bit different
Perry
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Guys,
I have what seems like a new and interesting result, which I
haven't seen before, but which may or may not be new.
The high order bit is that you can't generally guarantee
that truncating your hash (chopping off some bits) won't
weaken it. That is, if you chop SHA256 off to 160 bits as
and simple
application.
Aram Perez
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
we can fit you onto
the agenda for some discussion time.
--John Kelsey, NIST, July 2005
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
From: Charles M. Hannum [EMAIL PROTECTED]
Sent: Jul 3, 2005 7:42 AM
To: Don Davis [EMAIL PROTECTED]
Cc: cryptography@metzdowd.com
Subject: Re: /dev/random is probably not
...
Also, I don't buy for a picosecond that you have to gather
all timings in order to predict the output. As we know
from
.
Informally, we're calling this the halloween hash bash. Come dressed
as your favorite hash function! If you want to have some impact on
where we go with hash functions, this is a good thing to attend
Perry E. Metzger [EMAIL PROTECTED]
--John Kelsey, NIST
or the complementation property of DES--it doesn't
keep the crypto mechanism from being used securely, but it does make
the job of an engineer trying to use it needlessly more complicated.
Greg RoseINTERNET: [EMAIL PROTECTED]
--John Kelsey
at all to make this
kind of attack pattern work. It's a heck of a lot easier to
say don't use MD5.
...
-Ekr
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
is going
through K1.
This doesn't look like an especially realistic attack model, but I'm
not sure what you're doing with this
iang
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
From: Ian G [EMAIL PROTECTED]
Sent: Jun 7, 2005 7:43 AM
To: John Kelsey [EMAIL PROTECTED]
Cc: Steve Furlong [EMAIL PROTECTED], cryptography@metzdowd.com
Subject: Re: Papers about Algorithm hiding ?
[My comment was that better crypto would never have prevented the
Choicepoint data leakage. --JMK
disclosure.
It's just *your* data they don't mind giving out to random criminals.
No amount of crypto could have helped this.
iang
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography
and debasement.
I suspect something very similar happens with the watchlists. I wonder how
many different layers of watchlist there are by now
--digsig
James A. Donald
--John Kelsey
-
The Cryptography Mailing
. This is what it
looks like when someone develops a new class of attack that breaks a whole
bunch of your available cryptographic primitives in a big hurry.
Joe
--John Kelsey
-
The Cryptography Mailing
no successful attacks on SHA-1.
Well, there *weren't* any a week ago
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
) to be eavesdropped by moderately
technically savvy nosy neighbors, and because there are a lot of criminals who
are using more technology, and will surely target VOIP if they think they can
make any money off it.
Adam
--John Kelsey
From: John Denker [EMAIL PROTECTED]
Sent: Jan 10, 2005 12:21 AM
To: David Wagner [EMAIL PROTECTED]
Cc: cryptography@metzdowd.com
Subject: Re: Entropy and PRNGs
Conditioned on everything known to the attacker, of course.
Well, of course indeed! That notion of entropy -- the entropy
in the
the PRNG is in a known state, and the time when it's used to generate an
output.
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
From: Ben Laurie [EMAIL PROTECTED]
Sent: Dec 22, 2004 12:24 PM
To: David Wagner [EMAIL PROTECTED]
Cc: cryptography@metzdowd.com
Subject: Re: The Pointlessness of the MD5 attacks
...
Assuming you could find a collision s.t. the resulting decryption looked
safe with one version and unsafe with the
From: Ben Laurie [EMAIL PROTECTED]
Sent: Dec 14, 2004 9:43 AM
To: Cryptography [EMAIL PROTECTED]
Subject: The Pointlessness of the MD5 attacks
Dan Kaminsky's recent posting seems to have caused some excitement, but
I really can't see why. In particular, the idea of having two different
From: Adam Shostack [EMAIL PROTECTED]
Sent: Dec 11, 2004 4:52 PM
Subject: Re: Blinky Rides Again: RCMP suspect al-Qaida messages
...
It seems consistent that Al Qaeda prefers being 'fish in the sea' to
standing out by use of crypto. Also, given the depth and breadth of
conspiracies they believe
--John Kelsey
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
News story quoted by RAH:
WASHINGTON - The government on Friday ordered airlines to turn over
personal information about passengers who flew within the United States in
June in order to test a new system for identifying potential terrorists.
The interesting thing here is that they can't really
Guys,
Bruce and I have a new result on hash function security, which uses Joux'
multicollision trick in a neat way to allow long-message second preimage
attacks. We've posted it to the e-print server.
The basic result is that for any n-bit hash function built along the lines of
SHA1 or
From: Ian Grigg [EMAIL PROTECTED]
Sent: Oct 10, 2004 11:11 AM
To: Metzdowd Crypto [EMAIL PROTECTED]
Subject: AES Modes
I'm looking for basic mode to encrypt blocks (using AES)
of about 1k in length, +/- an order of magnitude. Looking
at the above table (2nd link) there are oodles of proposed
From: Dave Howe [EMAIL PROTECTED]
Sent: Oct 5, 2004 12:32 PM
To: [EMAIL PROTECTED]
Subject: Re: IBM's original S-Boxes for DES?
More accurately, they didn't protect against linear cryptanalysis -
there is no way to know if they knew about it and either didn't want to
make changes to protect
. I'm sure there are some clever crypto protocol ways to address this
(basically, do a zero-knowledge proof of the value of the random number you used in
deriving the key), but I have a hard time thinking this is at all practical
John
--John Kelsey
From: Ian Farquhar [EMAIL PROTECTED]
Sent: Sep 20, 2004 10:14 PM
To: \Hal Finney\ [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Re: Time for new hash standard
At 05:43 AM 21/09/2004, Hal Finney wrote:
I believe this is a MAC, despite the name. It seems to be easier to
1 - 100 of 111 matches
Mail list logo
