3) Shortly after the token indictment of Zimmerman (thus prompting widespread
use and promotion of the RSA public key encryption algorithm), the Clinton
administration's FBI then advocated a relaxation of encryption export
regulations in addition to dropping all plans for the Clipper chip
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 7, 2013, at 8:06 PM, John Kelsey crypto@gmail.com wrote:
There are basically two ways your RNG can be cooked:
a. It generates predictable values. Any good cryptographic PRNG will do
this if seeded by an attacker. Any crypto PRNG
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 11:05 PM, Jaap-Henk Hoepman j...@cs.ru.nl wrote:
Public-key cryptography is less well-understood than symmetric-key
cryptography. It is also tetchier than symmetric-key crypto, and if you pay
attention to us talking about
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 7, 2013, at 12:14 AM, Dave Horsfall d...@horsfall.org wrote:
Got a question that's been bothering me for a whlie, but it's likely
purely academic.
Take the plaintext and the ciphertext, and XOR them together. Does the
result reveal
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 7, 2013, at 5:09 PM, Perry E. Metzger pe...@piermont.com wrote:
Note that such systems should at this point be using deterministic
methods (hashes of text + other data) to create the needed nonces. I
believe several such methods have been
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 11:41 AM, Jack Lloyd ll...@randombit.net wrote:
I think that any of OCB, CCM, or EAX are preferable from a security
standpoint, but none of them parallelize as well. If you want to do
a lot of encrypted and authenticated
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 4:42 AM, Jerry Leichter leich...@lrw.com wrote:
Argh! And this is why I dislike using symmetric and asymmetric to
describe cryptosystems: In English, the distinction is way too brittle.
Just a one-letter difference - and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 6:23 AM, Jerry Leichter leich...@lrw.com wrote:
Is such an attack against AES *plausible*? I'd have to say no. But if you
were on the stand as an expert witness and were asked under cross-examination
Is this *possible*?, I
On Sep 6, 2013, at 6:13 AM, Jaap-Henk Hoepman j...@cs.ru.nl wrote:
In this oped in the Guardian
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
Bruce Schneier writes: Prefer symmetric cryptography over public-key
cryptography. The only reason I can
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 4:09 PM, Perry E. Metzger pe...@piermont.com wrote:
Now, this certainly was a problem for the random number generator
standard, but is it an actual worry in other contexts? I tend not to
believe that but I'm curious about
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 6:16 PM, Dan McDonald dan...@kebe.com wrote:
Consider the Suite B set of algorithms:
AES-GCM
AES-GMAC
IEEE Elliptic Curves (256, 384, and 521-bit)
Traditionally, people were pretty confident in these.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 7:15 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Jon Callas j...@callas.org writes:
My opinion about GCM and GMAC has not changed. I've never been a fan.
Same here. AES is, as far as we know, pretty secure, so any
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 7:01 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Perry E. Metzger pe...@piermont.com writes:
I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH
that you're thinking of?
It's not just
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 7:31 PM, Jerry Leichter leich...@lrw.com wrote:
Another interesting goal: Shape worldwide commercial cryptography
marketplace to make it more tractable to advanced cryptanalytic capabilities
being developed by NSA/CSS.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 8:02 PM, Jerry Leichter leich...@lrw.com wrote:
Perhaps it's time to move away from public-key entirely! We have a classic
paper - Needham and Schroeder, maybe? - showing that private key can do
anything public key can; it's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 8:24 PM, Jerry Leichter leich...@lrw.com wrote:
Another interesting goal: Shape worldwide commercial cryptography
marketplace to make it more tractable to advanced cryptanalytic
capabilities being developed by NSA/CSS. ...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 9:33 PM, Perry E. Metzger pe...@piermont.com wrote:
It is probably very difficult, possibly impossible in practice, to
backdoor a symmetric cipher. For evidence, I direct you to this old
paper by Blaze, Feigenbaum and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
What is the state of prior art for the P-384? When was it first published?
Given that RIM is trying to sell itself right now and the patents are the
only asset worth having, I don't have good feelings on this. Well apart from
the business
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
2) Is anyone aware of ITAR changes for SHA hashes in recent years that
require more than the requisite notification email to NSA for download URL
and authorship information? Figuring this one out last time around took
ltttss of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 2, 2013, at 3:06 PM, Jack Lloyd ll...@randombit.net wrote:
On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote:
a) The very reference you give says that to be equivalent to 128
bits symmetric, you'd need a 3072 bit RSA key -
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Aug 29, 2013, at 3:43 AM, Jerry Leichter leich...@lrw.com wrote:
- If I need to change because the private key was compromised, there's
nothing I can do about past messages; the question is what I do to minimize
the number of new messages
What on earth happened? Was there a change in banking regulations in the last
few months?
Possibly it's related to PCI DSS and other work that BITS has been doing. Also,
if one major player cleans up their act and sings about how cool they are, then
that can cause the ice to break.
Another
On Aug 9, 2010, at 4:47 PM, Perry E. Metzger wrote:
Really quite mediocre coverage of Blackberry's security issues
https://www.nytimes.com/2010/08/09/technology/09rim.html
I especially fault them for having virtually no coverage of the
position that would oppose removing security
On Jul 30, 2010, at 4:58 AM, Peter Gutmann wrote:
[0] I've never understood why this is a comedy of errors, it seems more like
a tragedy of errors to me.
That is because a tragedy involves someone dying. Strictly speaking, a tragedy
involves a Great Person who is brought to their undoing
On Aug 4, 2010, at 11:29 PM, Peter Gutmann wrote:
Jon Callas j...@callas.org writes:
But S.J. Perleman's Three Shares in a Boat
Uhh. minor nitpick, it was Jerome K.Jerome who wrote Three Shares in a
Boat.
He followed it up with Three Certificates on the Bummel, a reference
On Mar 24, 2010, at 2:07 AM, Stephan Neuhaus wrote:
On Mar 23, 2010, at 22:42, Jon Callas wrote:
If you need to rekey, tear down the SSL connection and make a new one. There
should be a higher level construct in the application that abstracts the two
connections into one session
I'd be interested in hearing what people think on the topic. I'm a bit
skeptical of his position, partially because I think we have too little
experience with real world attacks on cryptographic protocols, but I'm
fairly open-minded at this point.
I think that if anything, he doesn't go far
On Sep 17, 2009, at 6:31 AM, Jim Windle wrote:
http://www.genengnews.com/cryptogramchallenge/
This is contest to decode the message encrypted in the colors of a
96 well
microtiter plate used for an enzyme-linked immunosorbent assay test
in which
the color indicate the amount of antigen
On Jul 26, 2009, at 10:31 PM, Peter Gutmann wrote:
Jon Callas j...@callas.org writes:
You are of course correct, Peter, but are you saying that we
shouldn't do
anything?
Well, I think it's necessary to consider the tradeoffs, if you don't
know the
other side's capabilities then it's
Where this falls apart completely is when there are asymmetric
capabilities
across sender and receiver.
You are of course correct, Peter, but are you saying that we shouldn't
do anything?
I don't believe that we should roll over and die. We should fight
back, even if the advantage is to
On Jul 17, 2009, at 8:39 PM, Peter Gutmann wrote:
PGP Desktop 9 uses as its default an iteration count of four
million (!!) for its password hashing, which looks like a DoS to
anything that
does sanity-checking of input.
That's precisely what it is -- a denial of service to password
On Jul 1, 2009, at 4:29 PM, silky wrote:
On Wed, Jul 1, 2009 at 6:48 PM, Udhay Shankar Nud...@pobox.com
wrote:
Udhay Shankar N wrote, [on 5/29/2009 9:02 AM]:
Fascinating discussion at boing boing that will probably be of
interest
to this list.
On Jun 27, 2009, at 6:57 PM, Perry E. Metzger wrote:
Does anyone have a recommended encrypted password storage program for
the mac?
I would recommend the built-in keychain for anything that it works with.
Jon
-
I'd use a tweakable mode like EME-star (also EME*) that is designed
for something like this. It would also work with 512-byte blocks.
Jon
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography
It also is not going to be trivial to do this -- but it is now in the
realm of possibility.
I'm not being entirely a smartass when I say that it's always in the
realm of possibility. The nominal probability for SHA-1 -- either 2^80
or 2^160 depending on context -- is a positive number.
On Apr 30, 2009, at 4:31 PM, Perry E. Metzger wrote:
Eric Rescorla e...@networkresonance.com writes:
McDonald, Hawkes and Pieprzyk claim that they have reduced the
collision
strength of SHA-1 to 2^{52}.
Slides here:
http://eurocrypt2009rump.cr.yp.to/
837a0a8086fa6ca714249409ddfae43d.pdf
On Feb 12, 2009, at 11:24 AM, Donald Eastlake wrote:
On Thu, Feb 12, 2009 at 12:58 PM, Perry E. Metzger
pe...@piermont.com wrote:
s...@acw.com writes:
...
There are four kinds of intellectual property. Is it a trade secret?
No. Is it a trademark or something allied like trade dress? No.
I have a general outline of a timeline for adoption of new crypto
mechanisms (e.g. OAEP, PSS, that sort of thing, and not specifically
algorithms) in my Crypto Gardening Guide and Planting Tips, http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt
, see Question J about 2/3 of the way
In the NBC TV episode of /Chuck/ a couple of weeks ago, the NSA
cracked
a 512-bit AES cipher on a flash drive trying every possible key.
Could be hours, could be days. (Only minutes in TV land.)
http://www.nbc.com/Chuck/video/episodes/#vid=838461
(Chuck Versus The Fat Lady, 4th segment, at
On Nov 24, 2008, at 8:54 PM, Peter Gutmann wrote:
This doesn't seem to have garnered much attention, but this year
marks two
milestones in PKI: Loren Kohnfelder's thesis was published 30 years
ago, and
X.509v1 was published 20 years ago.
As a sign of PKI's successful penetration of the
On Sep 29, 2008, at 5:13 AM, IanG wrote:
If I have N pools of entropy (all same size X) and I pool them
together with XOR, is that as good as it gets?
My assumptions are:
* I trust no single source of Random Numbers.
* I trust at least one source of all the sources.
* no particular
At one time, we believed that with enough crypto, we would be safe,
but we were disabused of that notion -- crypto is a great tool but not
a panacea. Now the notion seems to be that with enough human factors,
we will be safe. It appears this, too, is not a panacea.
What you mean, We?
I said
A cheap USB camera would make a good source.
The cheaper the better, too. Pull a frame off,
hash it, and it's got entropy, even against a
white background. No lava lamp needed.
I sort of agree, but I feel cautious about recommending that people
use their holiday snaps. And then post them on
Does anyone know of a cheap USB random number source?
As a meandering comment, it would be extremely good for us if we had
cheap pocket random number sources of arguable quality [1].
I've often thought that if we had an open source hardware design of
a USB random number generator ... that cost
We were wondering if it was possible to use a hash function instead.
Using the password he provided at the login screen and hash it n
times.
Master Password: hash(hash(login_password))
Would this be a good idea if we've used this generated hash as a key
for AES?
Would the hashing be
On May 6, 2008, at 1:14 AM, James A. Donald wrote:
Perry E. Metzger wrote:
What you can't do, full stop, is
know that there are no unexpected security related behaviors in the
hardware or software. That's just not possible.
Ben Laurie wrote:
Rice's theorem says you can't _always_ solve
On Mar 19, 2008, at 6:56 PM, Steven M. Bellovin wrote:
I've been thinking about similar issues. It seems to me that just
destroying the key schedule is a big help -- enough bits will change
in
the key that data recovery using just the damaged key is hard, per
comments in the paper itself.
On Mar 16, 2008, at 8:50 AM, John Levine wrote:
So at the company I work for, most of the internal systems have
expired SSL certs, or self-signed certs. Obviously this is bad.
You only think this is bad because you believe CAs add some value.
Presumably the value they add is that they
Such as Cold Boot, etc.
There have been a number of conversations among my colleagues on how
to ameliorate this, particularly with an eye to making suspend mode
safer.
In the Cold Boot paper, the authors suggested XORing a piece of random
memory onto the dangerous bits, so as to fuzz
So, is anyone else as amused as I am that Apple can release an EFI
firmware update to zeroize MacBook Air memory at boot-time, turning
the heretofore widely-decried inability to upgrade that laptop's RAM
-- due to the chips being soldered to the motherboard -- into an
advantage, and making
http://news.bbc.co.uk/2/hi/business/7255685.stm
Excerpt:
An internal investigation into billions of euros of losses at
Societe Generale has found that controls at the French bank
lacked depth.
The results of the investigation also show that rogue trades
were first made back in
On Feb 21, 2008, at 12:14 PM, Ali, Saqib wrote:
However, the hardware based encryption solutions like (Seagate FDE)
would easily deter this type of attacks, because in a Seagate FDE
drive the decryption key never gets to the DRAM. The keys always
remain in the Trusted ASIC on the drive.
Umm,
On Feb 4, 2008, at 1:55 PM, Arshad Noor wrote:
Do business people get it? Do security professionals get it?
Apparently not.
Arshad Noor
StrongAuth, Inc.
Huge losses reported by Société Générale were apparently enabled
by forgotten low-level IT chores such as password management.
I don't know anything about this case, so everything I say is pure
supposition.
Let's suppose you have Alice and Bob who are working together on some
sort of business, and they are using some OpenPGP [1] software to
encrypt their emails that pertain to that business. Let's suppose
that
On Nov 1, 2007, at 10:49 AM, John Levine wrote:
Since email between hushmail accounts is generally PGPed. (That is
the point, right?)
Hushmail is actually kind of a scam. In its normal configuration,
it's in effect just webmail with an HTTPS connection and a long
password. It will
On Oct 24, 2007, at 1:21 PM, Steven M. Bellovin wrote:
I hope they don't get the patent. The idea of using a GPU for
cryptographic calculations isn't new; see, for example, Remotely
Keyed
Cryptographics: Secure Remote Display Access Using (Mostly) Untrusted
Hardware
On Oct 22, 2007, at 12:07 PM, Steven M. Bellovin wrote:
On Thu, 18 Oct 2007 12:49:40 -0700
Jon Callas [EMAIL PROTECTED] wrote:
Ah, there are some trustworthy photons. Oops, we can trust them,
but we don't know if they are relevant. Ah, there's a relevant
photon
And we know
I'm a beta-tester for it, and while I can understand a small twitch
when they talk about miltary and beyond military levels of
security, it is very cool.
It has hardware encryption and will erase itself if there are too
many password failures. I consider that an issue, personally, but it
Via Farber's list:
From: Rod Van Meter [EMAIL PROTECTED]
Date: August 18, 2007 11:39:47 AM EDT
To: [EMAIL PROTECTED]
Subject: Re: [IP] Light pulses crack security codes within seconds
http://www.tgdaily.com/content/view/33425/118/
Wow, that's one of the most egregious quantum computing-related
On Jun 26, 2007, at 10:10 AM, Nicolas Williams wrote:
This too is a *fundamental* difference between QKD and classical
cryptography.
What does this classical word mean? Is it the Quantum way to say
real? I know we're in violent agreement, but why are we letting
them play language games?
On Jun 25, 2007, at 7:23 PM, Matt Johnston wrote:
On Mon, Jun 25, 2007 at 04:42:56PM +1200, David G. Koontz wrote:
Apple (mis)uses
TPM to unsuccessfully prevent OS X from running on non-Apple
Hardware.
All Apple on Intel machines have TPM, that's what 6 percent of new
PCs?
To nit
On Jun 22, 2007, at 10:44 AM, Ali, Saqib wrote:
...whereas the key distribution systems we have aren't affected by
eavesdropping unless the attacker has the ability to perform 2^128 or
more operations, which he doesn't.
Paul: Here you are assuming that key exchange has already taken place.
On Jun 20, 2007, at 8:41 PM, Steven M. Bellovin wrote:
According to the AP (which is quoting Le Monde), French government
defense experts have advised officials in France's corridors of power
to stop using BlackBerry, reportedly to avoid snooping by U.S.
intelligence agencies.
That's a bit
On Jun 13, 2007, at 4:47 AM, Charles Jackson wrote:
A quick question.
Is anyone aware of a commercial product that implements secret
sharing? If
so, can I get a pointer to some product literature?
PGP. http://www.pgp.com/
I can tell you more gory details than you're probably interested
He's out of surgery, doing well, and the doctors say he'll be better
than he's been for ten years.
Jon
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
On May 9, 2007, at 5:01 PM, Ali, Saqib wrote:
Hi Jon,
Rights management systems work against polite attackers. They are
useless against impolite attackers. Look at the way that
entertainment rights management systems have been attacked.
The rights management system will be secure so long as
Phil Zimmermann is going in tonight (7 May) for heart bypass surgery.
He's not in immediate danger -- he's not having a heart attack, he's
not no in immediate danger, but they're pushing him into the hospital
quicker than any reasonable person would like. Obviously, that makes
for worries.
On May 8, 2007, at 10:16 AM, Ali, Saqib wrote:
I was recently asked why not just deploy a Enterprise Right Management
solution instead of using various encryption tools to prevent data
leaks.
Any thoughts?
What problem are you trying to solve?
If you're dealing with a rights-management
On May 1, 2007, at 12:53 PM, Perry E. Metzger wrote:
A lot of sites have been getting DMCA takedowns for the HD-DVD
processing key that got leaked recently.
My question to the assembled: are cryptographic keys really subject to
DMCA subject to takedown requests? I suspect they are not
On 13 Dec 2006, at 11:57 AM, Perry E. Metzger wrote:
I saw this link on Slashdot (and it was also on Ekr's blog):
http://hackreport.net/2006/12/13/quantum-cryptography-its-some-kind-
of-magiq/
It appears that the quantum crypto meme just won't go away.
Bob Gelfond of MagiQ promises us
On 5 Dec 2006, at 3:22 PM, Brian Gladman wrote:
For AES the round function and key scheduling cost per round are
basically the same for both AES-128 and AES-256. In consequence I
would
expect the speed ratio to be close to the ratio of the number of
rounds,
which is 14 / 10 or 40%.
My
I just ran a speed test on my laptop. Here are some relevant excerpts:
CipherKey Size Block Size Enc KB/sec Dec KB/sec
-- -- --
IDEA 128 bits 8 bytes 24032.0924030.66
3DES 192 bits 8 bytes 10387.6710399.30
CAST5
On 20 Nov 2006, at 9:46 PM, Steve Schear wrote:
Assume that smartcard based passports will be used in the same way
the current variety are, that is swiped in or placed near a contact
or contact-less reader by the immigration officer within a meter or
so of the passport presenter. Why not
Just wondering about this little piece. How did we get to 256-bit
AES as a requirement? Just what threat out there justifies it?
There's no conceivable brute-force attack against 128-bit AES as far
out as we can see, so we're presumably begin paranoid about an
analytic
attack. But is there
This amounts to *not* using ASN.1 - treating the ASN.1
data as mere arbitrary padding bits, devoid of
information content.
That is correct, it has the advantage of being merely a byte string
that denotes a given hash.
Jon
On 5 Sep 2006, at 2:40 AM, Massimiliano Pala wrote:
This approach is MTA-to-MTA... if you want something more MTA-to-
MUA
Not precisely. It is *primarily* MTA-to-MTA, for a number of very
good reasons, like privacy. However, a number of people will be
implementing DKIM verification in
On 4 Sep 2006, at 4:13 AM, Travis H. wrote:
Has anyone created hooks in MTAs so that they automagically
sign outbound email, so that you can stop forgery spam via a
SRV DNS record?
Take a look at DKIM (Domain Keys Identified Mail) which does
precisely that. There is an IETF working group
On 21 Aug 2006, at 3:36 PM, Max A. wrote:
Hello!
Could anybody familiar with PGP products look at the following page
and explain in brief what it is about and what are consequences of the
described bug?
http://www.safehack.com/Advisory/pgp/PGPcrack.html
The text there looks to me rather
On 23 May 2006, at 8:19 AM, Perry E. Metzger wrote:
Following the links from a /. story about a secure(?) mobile phone
VectroTel in Switzerland is selling, I came across the fact that this
firm sells a full line of encrypted phones.
http://www.vectrotel.ch/
The devices apparently use D-H
I have to chime in on a number of points. I'll try to keep commercial
plugs to a minimum.
* An awful lot of this discussion is some combination of outdated and
true but irrelevant. For example, it is true that usability of all
computers is not what it could be. But a lot of what has
On 4 Nov 2005, at 5:23 PM, Travis H. wrote:
For example, pgp doesn't hide the key IDs of the addressees.
But OpenPGP does. Here's an extract fro RFC 2440:
5.1. Public-Key Encrypted Session Key Packets (Tag 1)
[...]
An implementation MAY accept or use a Key ID of zero as a wild
card
On 4 Feb 2005, at 10:51 AM, Greg Rose wrote:
I'm surprised that no-one has said that ECB mode is unsafe at any
speed.
Because if they did, some smartass would chime in and say that ECB mode
is perfectly fine at some speeds.
For example, you could safely encrypt one bit in ECB mode,
On 18 Oct 2004, at 12:49 PM, Hal Finney wrote:
Does anyone have pointers to crypto related weblogs? Bruce Schneier
recently announced that Crypto-Gram would be coming out incrementally
in blog form at http://www.schneier.com/blog/. I follow Ian Grigg's
Financial Cryptography blog,
On 15 Jul 2004, at 9:36 PM, Aram Perez wrote:
I'm not sure if PGP deliberately set out to confuse naïve users since
their
logo has been the padlock for a while. Many web sites have their logo
displayed on the address bar (and tab) when you go to there site, see
http://www.yahoo.com or
On Saturday, October 25, 2003, at 08:29 AM, Russell Nelson wrote:
I wonder if the DMCA (why do those initials bring to mind a song by
The Village People?) isn't invoking Gresham's Law? Gresham's Law says
bad money drives out good, but it only applies when there is a legal
tender law. Such a
85 matches
Mail list logo