Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic

2010-10-06 Thread Matt Crawford

On Oct 6, 2010, at 10:48 AM, Victor Duchovni wrote:

 On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote:
 
 From https://wiki.mozilla.org/CA:MD5and1024:
 
  December 31, 2010 - CAs should stop issuing intermediate and end-entity
  certificates from roots with RSA key sizes smaller than 2048 bits [0]. All
  CAs should stop issuing intermediate and end-entity certificates with RSA
  key size smaller than 2048 bits under any root.
 
 [...]
 
 [0] This is ambiguously worded, but it's talking about key sizes in EE certs.
 
 What are EE certs, did you mean EV?

EE = End Entity, but I don't read the first sentence the way Peter did. I parse 
it as

 CAs should stop issuing (intermediate and end-entity
 certificates) from (roots with RSA key sizes smaller than 2048 bits).

That is, if your CA key size is smaller, stop signing with it.

Of course, if it's important to stop signing with it, it's equally important to 
revoke all signatures already made.



smime.p7s
Description: S/MIME cryptographic signature


Re: 2048-bit RSA keys

2010-08-18 Thread Matt Crawford

On Aug 17, 2010, at 10:25 PM, John Gilmore wrote:

 (Given their prediction that they won't be done with a 1024-bit number
 within 5 years, but they will be done well within the next decade,
 which 1024-bit number are they starting to factor now?  I hope it's a
 major key that certifies big chunks of the Internet for https today,
 rather than one of those silly challenge keys.)

If they announced which key they were working on, I would completely expect 
someone to demand a very amusing injunction against the performing of 
arithmetical operations.

When mathematics is outlawed ...

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: 2048-bit RSA keys

2010-08-16 Thread Matt Crawford

On Aug 15, 2010, at 8:35 PM, Arash Partow wrote:

 Just out of curiosity, assuming the optimal use of today's best of breed 
 factoring algorithms - will there be enough energy in our solar system to 
 factorize a 2048-bit RSA integer?

Computation can be performed with arbitrarily small energy expenditure or 
entropy increase.

http://en.wikipedia.org/wiki/Reversible_computing



Not by the architectures we use, of course.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Intel to also add RNG

2010-07-12 Thread Matt Crawford

On Jul 12, 2010, at 11:22 AM, Perry E. Metzger wrote:

 The
 literature makes it clear at this point that short of carefully
 tearing apart and analyzing the entire chip, you're not going to catch
 subtle behavioral changes designed to allow attackers backdoor
 access.

I happen to be re-reading Vernor Vinge's _A Deepness in the Sky_ right now. In 
it, a conquering power needs to use the computing and communication technology 
of its subjugated foe, and has unusual resources to carry out a thorough code 
audit. However, the foe has been hiding secrets since before the victors were 
fooling with electricity ...



smime.p7s
Description: S/MIME cryptographic signature


Re: Question regarding common modulus on elliptic curve cryptosystems

2010-03-25 Thread Matt Crawford

On Mar 21, 2010, at 4:13 PM, Sergio Lerner wrote:

 I looking for a public-key cryptosystem that allows commutation of the 
 operations of encription/decryption for different users keys
 ( Ek(Es(m)) =  Es(Ek(m)) ).
 I haven't found a simple cryptosystem in Zp or Z/nZ.
 
 I think the solution may be something like the RSA analogs in elliptic 
 curves. Maybe a scheme that allows the use of a common modulus for all users 
 (RSA does not).

If your application can work with a trusted authority generating all the 
keypairs, and you sacrifice the use of short public exponents *and* sacrifice 
the possession of the factors of the modulus by the key owners, making them do 
more work on decryption, I think you can have what you asked for. But that's a 
lot of ifs.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Crypto dongles to secure online transactions

2009-11-11 Thread Matt Crawford


On Nov 10, 2009, at 8:44 AM, Jerry Leichter wrote:

Whether or not it can, it demonstrates the hazards of freezing  
implementations of crypto protocols into ROM:  Imagine a world in  
which there are a couple of hundred million ZTIC's or similar  
devices fielded - and a significant vulnerability is found in the  
protocol they speak.


Imagine a couple of hundred million devices with updatable firmware on  
them, and one or more rogue updates in the wild.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: FileVault on other than home directories on MacOS?

2009-09-23 Thread Matt Crawford


On Sep 21, 2009, at 3:57 PM, Steven Bellovin wrote:

Is there any way to use FileVault on MacOS except on home  
directories?  I don't much want to use it on my home directory; it  
doesn't play well with Time Machine (remember that availability is  
also a security property); besides, different directories of mine  
have different sensitivity levels.


According to an Apple security person who spoke here about a year ago,  
you can use the underlying CLI to do everything FileVault does, but at  
some other point(s) in the directory tree than home directories.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: The password-reset paradox

2009-02-23 Thread Matt Crawford


On Feb 21, 2009, at 10:26 PM, Charlie Kaufman wrote:

Assuming that's true, OTP tokens add costs by introducing new  
failure modes (e.g.,

I lost it, I ran it through the washing machine, etc.)


Or even more surprising hazards.

http://home.fnal.gov/~crawdad/CryptoCard.jpg

The token on the left in that picture was issued in 2003 by postal  
mail to a Sloane Digital Sky Survey collaborator at the US Naval  
Observatory. All incoming packages were subjected to high doses of  
electron and x-ray radiation, as it is also the residence of the Vice  
President.


On the right is the normal appearance of the token and its holder.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


XKCD shows the real world of cryptography to the masses

2009-02-02 Thread Matt Crawford
Perry, I couldn't possibly be the first to pass along today's XKCD,  
could I?


http://xkcd.com/538/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: statistical inferences and PRNG characterization

2006-05-22 Thread Matt Crawford


On May 19, 2006, at 6:51, Travis H. wrote:


As I understand it, when looking at output, one can take a
hypothetical source model (e.g. P(0) = 0.3, P(1) = 0.7, all bits
independent) and come up with a probability that the source may have
generated that output.


One can come up with the probability that the defined source will  
generate that output in a single run.



  One cannot, however, say what probability such
a source had generated the output, because there is an infinite number
of sources (e.g. P(0) = 0.2.., P(1) = 7.000...).  Can one say
that, if the source must be A or B, what probability it actually was A
(and if so, how)?


If you can put your question into the form, Source A or B is chosen  
with probability pA or 1-pA.  Output X is generated.  What is the  
probability that it was source A that was chosen? then Bayesian  
inference can answer the question.  However, you don't generally have  
a known a priori probability of each source being chosen, and you  
don't even know the characteristics of the other source.  You can  
generalize to an arbitrary number of alternative sources, but that  
doesn't provide the prior data that's lacking.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: passphrases with more than 160 bits of entropy

2006-03-22 Thread Matt Crawford
Let me rephrase my sequence. Create a sequence of 256 consecutive  
bytes, with the first byte having the value of 0, the second byte  
the value of 1, ... and the last byte the value of 255. If you  
measure the entropy (according to Shannon) of that sequence of 256  
bytes, you have maximum entropy.


I so often get irritated when non-physicists discuss entropy.  The  
word is almost always misused. I looked at Shannon's definition and  
it is fine, from a physics point of view.  But if you apply  
thoughtfully to a single fixed sequence, you correctly get the answer  
zero.


If your sequence is defined to be { 0, 1, 2, ..., 255 }, the  
probability of getting that sequence is 1 and of any other sequence,  
0.  Plug it in.


If you have a generator of 8-bit random numbers and every sample is  
independent and uniformly distributed, and you ran this for a  
gazillion iterations and wrote to the list one day saying the special  
sequence { 0, 1, 2, ..., 255 } had appeared in the output, that's a  
different story.  But still, we would talk about the entropy of your  
generator, not of one particular sequence of outputs.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: another feature RNGs could provide

2005-12-22 Thread Matt Crawford

On Dec 21, 2005, at 0:10, Ben Laurie wrote:

Good ciphers aren't permutations, though, are they? Because if they
were, they'd be groups, and that would be bad.


A given cipher, with a given key, is a permutation of blocks.   
(Assuming output blocks and input blocks are the same size.)  It may  
be (and often is) the case that the set of all keys does not span the  
set of all possible permutations, in which case the permutations


  { E_k() | k in set of all keys }

may or may not turn out to be a group.

For blocks of n bits and keys of m bits, there are n! permutations  
but 2^m of them are representable by some key.  If m = n, this is a  
fraction roughly equal to


  (2e/n)^n

About 10^-70 for n=64.  I don't know the probability of a randomly  
selected subset of a permutation group being a group, but at these  
scales, I bet it's small.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Japan Puts Its Money on E-Cash

2005-12-13 Thread Matt Crawford


On Dec 12, 2005, at 18:14, R. A. Hettinga wrote:


 But would it work in a place like the United
 States, where 24 percent of transactions are made on credit?

 Some Americans, analysts note, are already using a version of e- 
cash to

 bypass toll lanes on highways.


Don't take that as a sign of consumer acceptance, though.  In  
Illinois, if you won't pre-pay your tolls in $40 increments, you will  
pay double the rate in cash at the toolbooth.  And the electronic  
system is anything but anonymous.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Pseudonymity for tor: nym-0.1 (fwd)

2005-10-02 Thread Matt Crawford

On Sep 29, 2005, at 18:32, Jason Holt wrote:
Of course, you can put anything you want in the cert, since the  
servers know that my CA only certifies 1 bit of data about users  
(namely, that they only get one cert per scarce resource).


One per person is a tough thing to do purely over the internet.  IP  
addresses get NATted or reassigned dynamically.  Email addresses are  
free in infinite quantity.  Any system that levels penalties on nyms  
for bad actions is playing whack-a-mole.  A system in which nyms  
accumulate {fame, credit, privilege} for good actions still has a  
hope ... as long as those credits can't be granted by an army of  
extra nyms of the same person.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: ECC patents?

2005-09-13 Thread Matt Crawford


On Sep 12, 2005, at 11:32, James A. Donald wrote:


Someone recently patented the wheel, to show how bad the
situation is.


That's a bit misleading without the context.  Google patented-the- 
wheel for details.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: de-identification

2005-06-09 Thread Matt Crawford

On Jun 8, 2005, at 15:19, [EMAIL PROTECTED] wrote:

I'd like to come up to speed on the state of the
art in de-identification (~=anonymization) of data
especially monitoring data (firewall/hids logs, say).


I don't know the state of the art, but I can tell you the state of the 
artless.  I had a request to share ourr border router traffic logs 
(Cisco netflow) with a university, so they could try out some anomaly 
detection schemes they were working on.


(Bkgnd: We don't consider our network topology sensitive. Our traffic 
logs are subject to a general respect for privacy.)


Since they could send us packets of their choosing, I deemed it useless 
to obfuscate our own IP addresses.  I chose to anonymize all the 
external addresses.  My design note is below.


But then, as fate would have it, the university said they needed the 
true external addresses.  That left me a bit stumped.  Perhaps a less 
chaotic mapping, like one that is bijective between classful network 
numbers, would do.



obfuscation filter program

  Parameters
Blocks of IP addresses deemed internal.  Internal includes multicast
addresses and RFC 1918 private use address.

  Working data preserved across runs
For each date, a database of (true address, substituted address) 
pairings.


  Algorithms
Substituted addresses are pseudo-random, formed by MD5-hashing a
string (S | D | A | N) and taking the first 32 bits.
  S = fixed secret hash seed, long term
  D = date of data, in MMDD format
  N = integer, starting at 0 and incremented if resulting address
  is an internal one or a collision.

to obfuscate an IP address: {
  if it's internal, return it unchanged.  otherwise
   is a substitute is already assigned?  If so, return it. otherwise
for ( done = N = 0; !done; N++ ) {
  generate substitute address by hashing as above
  if ( !collision ) done = 1
}
save forward  reverse mappings
}

for each netflow record {
  i = 0
  if ( src is external ) {
obfuscate src; i++
  }
  if ( dst is external ) {
obfuscate dst; i++
  }
  if ( i != 1 ) log an unusual condition
  write output
}

Scripts:

  generator loops over input files, applying obfuscator, writing 
temp-named

  output file, then renaming completed output file to permanent name.

  mover looks for completed output files, copies them to destination, 
then

  looks for more, sleeping and retrying if there are none.

Other notes:

  The obfuscated mappings can be regenerated at will if exactly the 
same data

  is processed in the same sequence, and the secret hash seed is known.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Clips] Paying Extra for Faster Airport Security

2005-06-06 Thread Matt Crawford
The [express-line security] program will be operated by New York-based 
Verified Identity Pass Inc., a private company run by Steven Brill, 
whose former ventures included Court TV and The American Lawyer 
magazine. The program marks the first time a private company has 
teamed up with the government to speed up airport security lines. 
Yesterday, the Greater Orlando Aviation Authority board awarded the 
contract for its new system to Verified Identity Pass's system, opting 
for its prospectus over a proposal from Unisys Corp.



I wonder what testing is planned and what penalties are specified in
the contract for false negatives.

My guess: little and none.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Bluetooth cracked further

2005-06-03 Thread Matt Crawford

On Jun 3, 2005, at 11:55, Perry E. Metzger wrote:

2) They also have a way of forcing pairing to happen, by impersonating
   one of the devices and saying oops! I need to pair again! to the
   other.


Do the devices then pair again without user intervention, re-using the 
PIN that paired them initially?


I always imagined I could use a lame PIN if I was far from any 
eavesdroppers...



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Citibank discloses private information to improve security

2005-05-30 Thread Matt Crawford

On May 26, 2005, at 13:24, Ed Gerck wrote:
A better solution, along the same lines, would have been for Citibank 
to

ask from their account holders when they login for Internet banking,
whether they would like to set up a three- or four-character 
combination

to be used in all emails from the bank to the account holder.


Why couldn't they just use digitally signed S/MIME email?  I'm sure 
that works just as well as signed SSL handshakes.



Oh.  Answered my own question, didn't I?


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: and constrained subordinate CA costs?

2005-03-28 Thread Matt Crawford
On Mar 25, 2005, at 11:55, Florian Weimer wrote:
Does anyone have info on the cost of sub-ordinate CA cert with a name
space constraint (limited to issue certs on domains which are
sub-domains of a your choice... ie only valid to issue certs on
sub-domains of foo.com).
Is there a technical option to enforce such a policy on subordinated
CAs?
There's an X.509v3 NameConstraints extension (which the higher CA would 
include in the lower CA's cert) but I have the impression that ends 
system software does not widely support it.  And of course if you don't 
flag it critical, it's not very effective.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: and constrained subordinate CA costs?

2005-03-28 Thread Matt Crawford
On Mar 25, 2005, at 16:06, Adam Back wrote:
There's an X.509v3 NameConstraints extension (which the higher CA 
would
include in the lower CA's cert) but I have the impression that ends
system software does not widely support it.  And of course if you 
don't
flag it critical, it's not very effective.
Well I would say downright dangerous -- if its not flagged critical
and not understood, right?
Implication would be an intended constrained subordinate CA would be
able to function as an unconstrained subordinate CA in the eyes of
many clients -- free ability to forge any domain in the global SSL
PKI.
Exactly.  (Just like the root CAs in the browser's shipped list.  :-)
And if it's marked critical, the certificate is no damn use to almost 
anyone.  Chicken, meet egg.  Egg, chicken.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Do You Need a Digital ID?

2005-03-25 Thread Matt Crawford
Now that the taxing bodies (US  states) have learned not to print the 
SSN on the mailing label, Illinois has gone further and requires a 
state-assigned PIN to file or access your tax information over the 
internet.  They helpfully provide you the PIN ... on the mailing label.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: PK - OTP?

2005-03-20 Thread Matt Crawford
My educated-layman's opinion is that the following is not feasible, 
but I'd be happy to be shown wrong ...
Given a closed public-key device such as a typical smart card with 
its limited set of operations (chiefly sign), is it possible to 
implement a challenge/response function such that
* Both the challenge and the response are short enough for an average 
user to be willing to type them when needed.
* The challenge can be generated, and the response verified using the 
cardholder's public key and a reasonable amount of computation.
What's wrong with sending the device encryption of a random number 
(using the public key of the device), and the device sending back the 
number as proof of possession of the corresponding secret key?
Would it not be the case that the challenge would be as long as the 
key, and hence to long to reasonably expect a user to type into a 
keypad?

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Digital Water Marks Thieves

2005-03-03 Thread Matt Crawford
On Feb 22, 2005, at 10:57, Dan Kaminsky wrote:
The point is that the thief should think anything expensive is
protected, by which I mean it's too traceable to fence.
That would be the thinking of a thief who read the article and took it 
at face value.  A more clever thief would realize that the magic water 
would respond to *his* ultraviolet light just as well as the police's.  
(And in today's climate, the counter-counteraction will be a measure to 
outlaw ultraviolet lights in the hands of private citizens ...)

  Let's vary piracy / with a little burglary!
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Code name Killer Rabbit: New Sub Can Tap Undersea Cables

2005-03-03 Thread Matt Crawford
On Feb 18, 2005, at 19:47, R.A. Hettinga wrote:
It does continue to be something of a puzzle as to how they get this 
stuff
back to home base, said John Pike, a military expert at 
GlobalSecurity.org.
I should think that in many cases, they can simply lease a fiber in the 
same cable.  What could be simpler?

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Digital Water Marks Thieves

2005-02-22 Thread Matt Crawford
that is [...] invisible until illuminated by police
officers using ultraviolet light.
That's amazing!  How do the tiny particles know that it's not a
civilian illuminating them with ultraviolet light?
And how does Wired reporter Robert Andrews fail to ask that question?
Why would it matter?
[...]
I don't really understand the complaints here.
My complaint is against the parroting of patently absurd claims by 
manufacturers (or governments, for that matter) under the guide of 
journalism.

If you need the reason to be concrete, here's one: I might buy this 
magic water and apply it to some of my stuff, figuring I don't have to 
shell out for a second pint because Robert Andrews has assured me the 
thieves can't determine that it's on my Thing-1 but not my Thing-2.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Digital Water Marks Thieves

2005-02-17 Thread Matt Crawford
On Feb 15, 2005, at 12:40, R.A. Hettinga wrote:
Instant, is a property-marking fluid that, when
brushed on items like office equipment or motorcycles, tags them with
millions of tiny fragments, each etched with a unique SIN (SmartWater
identification number) that is registered with the owner's details on a
national police database and is invisible until illuminated by police
officers using ultraviolet light.
That's amazing!  How do the tiny particles know that it's not a 
civilian illuminating them with ultraviolet light?

And how does Wired reporter Robert Andrews fail to ask that question?
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: how to tell if decryption was successfull?

2005-02-02 Thread Matt Crawford
On Feb 1, 2005, at 13:29, Andreas wrote:
I was wondering how can one tell if some data was successfully 
decrypted. Isn't there an assumption going on about what the cleartext 
data should be? Text? Image? ZIP file? Ziped jpeg? Another cyphertext? 
rot-13?
Embedded checksums or hash codes added before encryption.  The types of 
those checks must not interact badly with the encryption.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Cryptography Research wants piracy speed bump on HD DVDs

2004-12-22 Thread Matt Crawford
On Dec 15, 2004, at 11:54, Taral wrote:
What stops someone using 3 players and majority voting on frame data
bits?
As I understand it, they use such a huge number of bits for marking, 
that any reasonably-sized assembly of players will still coincide on 
some marked bits.
(However, I very much doubt whether they can blacklist all the players 
in the assembly without blacklisting some innocent players as well!)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Do We Need a National ID Card?

2004-12-22 Thread Matt Crawford
On Dec 22, 2004, at 8:53, R.A. Hettinga wrote:
Do we need a national ID card?
The comment period on NIST's draft FIPS-201 (written in very hasty  
response to Homeland Security Presidential Directive HSPD-12) ends  
tomorrow.  The draft, as written, enables use of the card by Smart  
IEDs and for improved selection of kidnapping victims.

One cabinet department's Associate CIO for Cybersecurity said of this  
project, Eventually this is going to lead to a national ID card.

Refs:
http://csrc.nist.gov/piv-project/
http://www.fas.org/irp/offdocs/nspd/hspd-12.html
http://csrc.nist.gov/publications/drafts/draft-FIPS_201-110804- 
public1.pdf

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Maths holy grail could bring disaster for internet

2004-09-07 Thread Matt Crawford
On Sep 6, 2004, at 21:52, R. A. Hettinga wrote:
But the proof should give us more understanding of how the
primes work, and therefore the proof might be translated into something
that might produce this prime spectrometer. If it does, it will bring 
the
whole of e-commerce to its knees, overnight. So there are very big
implications.
This would be a good thing.  Because to rebuild the infrastructure 
based on symmetric crypto would bring the trusted third party 
(currently the CA) out of the shadows and into the light.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Compression theory reference?

2004-09-01 Thread Matt Crawford
On Aug 31, 2004, at 15:56, John Denker wrote:
 4) Don't forget the _recursion_ argument.  Take their favorite
algorithm (call it XX).  If their claims are correct, XX should
be able to compress _anything_.   That is, the output of XX
should _always_ be at least one bit shorter than the input.
Then the compound operation XX(XX(...)) should produce something
two bits shorter than the original input.  If you start with a
N-bit message and apply the XX function N-1 times, you should be
able to compress each and every message down to a single bit.
Plus a string of log(N) bits telling you how many times to apply the 
decompression function!
Uh-oh, now goes over the judge's head ...

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: How thorough are the hash breaks, anyway?

2004-08-31 Thread Matt Crawford
certificates.  The public key data is public, and it's a random
bitpattern where nobody would ever notice a few different bits.
If someone finds a collision for microsoft's windows update cert (or a
number of other possibilities), and the fan is well and truly buried
in it.
Correct me if I'm wrong ... but once finding
a hash collision on a public key, you'd also
need to find a matching private key, right?
But the odds are that you'd get an easy-to-factor modulus.  Would the 
casual relying party ever notice that?  I think not.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: First quantum crypto bank transfer

2004-08-23 Thread Matt Crawford
| However, I still don't believe that quantum cryptography can buy you
| anything but research funding (and probably easier lawful intercept
| because end-to-end encryption is so much harder).

Not to attack you personally - I've heard the same comments from many 
other
people - but this is a remarkably parochial attitude.

Quantum crypto raises fundamental issues in physics.
But we aren't physicists.
Hey!
It isn't research any more. There are companies trying to *sell this*.
Please don't blame the physicists for that.  It is still research, but 
someone is selling tincture of quantum physics in their snake-oil 
bottles.  Too bad that may poison the market for a really useful 
development a few years from now, but it does help shake the money tree 
for research.  And physics can use every dime it can get right now.

Matt Crawford   [EMAIL PROTECTED]
Fermilab Computer Security Coordinator
http://www.fnal.gov/
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: RPOW - Reusable Proofs of Work

2004-08-20 Thread Matt Crawford
I'm wondering how applicable RPOW is.  Generally speaking, all
the practical applications I can think of for a proof-of-work
are defeated if proofs-of-work are storable, transferable, or
reusable.
I have some code to play online games with cryptographic protection, 
cards and dice,
and I am planning to modify it to let people make bets with RPOWs as
the betting chips.
If you think of POW as a possible SPAM mitigation, how does the first 
receiving MTA assure the next MTA in line that a message was paid 
for?  Certainly the mail relay doesn't want to do new work, but the 
second MTA doesn't know that the first isn't a spambot.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: How a Digital Signature Works

2004-08-10 Thread Matt Crawford
  NEWS ANALYSIS :TECH
 By Stephen H. Wildstrom
How a Digital Signature Works
Is this a count the errors contest?  I count six.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: E-commerce attack imminent; Sudden increase in port scanning for SSL doesn't look good

2004-07-23 Thread Matt Crawford
E-commerce attack imminent; Sudden increase in port scanning for SSL
doesn't look good.
http://www.techworld.com/security/news/index.cfm?NewsID=1975
... aka not necessarily an attack on SSL itself ... but identifying
end-points with open SSL ports as attack targets i.e. end-points with
open SSL ports are likely to be somewhat higher value targets than
machines w/o SSL ports  since the operators possibly feel they have
something to protect.

I can't see any reasonable way to derive your conclusion from the cited 
article.

   The surge began on 15 July, the day before the public disclosure
of a critical flaw in a server module called mod_ssl.
   The last time Netcraft observed similar activity was in April,
shortly before a wave of attacks on SSL servers that included the
compromise of some major e-commerce sites. Attackers used a flaw
in Microsoft's implementation of SSL to install malicious code...
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Satellite eavesdropping of 802.11b traffic

2004-05-28 Thread Matt Crawford
Don't dismiss possibilities for wireless data eavesdropping without 
considering the possibilities of this new chip

http://pr.caltech.edu/media/Press_Releases/PR12490.html
and its friends
http://www.chic.caltech.edu/
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: voting

2004-04-20 Thread Matt Crawford
On Apr 15, 2004, at 8:58 PM, Ed Gerck wrote:

Currently, voter privacy is absolute in the US and does not depend
even on the will of the courts. For example,  there is no way for a
judge to assure that a voter under oath is telling the truth about how
they voted, or not.
For many years in the 90's there was (maybe still is) a resident of 
Cook County, Illinois, who refused to vote because she was the only 
voter in her precinct, and the precinct totals would consist purely of 
her vote.  (She lived in a forest preserve.  There's probably some 
latter-day Brothers Grimm tale in this.)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: I don't know PAIN...

2003-12-29 Thread Matt Crawford
On Dec 27, 2003, at 10:01 AM, Ben Laurie wrote:
Note that there is no theoretical reason that it should be possible 
to figure out the public key given the private key, either, but it so 
happens that it is generally possible to do so
So what's this generally possible business about?
Well, AFAIK its always possible, but I was hedging my bets :-) I can 
imagine a system where both public and private keys are generated from 
some other stuff which is then discarded.
Sure.  Imagine RSA where instead of a fixed public exponent (typically 
2^16 + 1), you use a large random public exponent.  After computing the 
private exponent, you discard the two primes and all other intermediate 
information, keeping only the modulus and the two exponents.  Now it's 
very hard to compute either exponent from the other, but they do 
constitute a public/private key-pair.  The operations will be more 
expensive that in standard RSA where one party has a small exponent and 
the other party has an arithmetical shortcut, but still far less 
computation than cracking the other party's key.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NEMA rotor machine offered again on ebay

2003-12-15 Thread Matt Crawford
On Dec 14, 2003, at 8:26 AM, Steve Bellovin wrote:
http://cgi.ebay.com/ws/eBayISAPI.dll? 
ViewItemitem=2210624662ssPageName=ADME:B:SS:US:1

Last time such a machine appeared, some people reported that ebay
blocked their access to the listing.  That included one person in the
U.S.
Curious.  I can access that page from my US IP address on a government  
netblock, with bidirectional DNS resolution to a .gov domain name, IF I  
use Internet Explorer, but not if I use Opera or Safari on the very  
same host.  Cookies are not the issue.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Open Source (was Simple SSL/TLS - Some Questions)

2003-10-09 Thread Matt Crawford
On Thursday, Oct 9, 2003, at 04:31 America/Chicago, Peter Clay wrote:
If you want a VPN that road warriors can use, you have to do it with
IP-over-TCP. [...]
If someone out there wants to write VPN software that becomes widely 
used,
then they should make a free IP-over-TCP solution that works on Windows
and Linux which uses password authentication.
And people will mostly want to run TCP over their VPN.  See Why TCP 
Over TCP Is A Bad Idea by Olaf Titz at  
http://sites.inka.de/sites/bigred/devel/tcp-tcp.html

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: quantum hype

2003-09-22 Thread Matt Crawford
BTW, you can decrease the wavelength of a photon by bouncing it off 
moving
mirrors.
Sure.  To double the energy (halve the wavelength), move the mirror at 
70% of the speed of light.  And since you don't know exactly when the 
photon is coming, keep it moving at that speed ...

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Who is this Mallory guy anyway?

2003-09-22 Thread Matt Crawford
Well, that's the question - is Eve allowed to
forward packets, in the act of listening, or
is that the Mallory's job?  I don't know.
You can't measure a single-particle state without at least some chance 
of destroying the state.  (Even quantum non-demolition methods affect 
the measured system a bit.)  So you can't have a purely passive Eve.  
Perhaps Quentin is the Quantum Eavesdropper who makes his optimal 
tradeoff between gathering the most information and being the least 
detectable.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: An attack on paypal

2003-06-12 Thread Matt Crawford
 Matt Crawford [EMAIL PROTECTED] writes:
 ... Netscrape ind Internet Exploder each have a hack for
 honoring the same cert for multiple server names.  Opera seems to honor at
 least one of the two hacks, and a cert can incorporate both at once.
 
/C=US/ST=Illinois/L=Batavia/O=Fermilab/OU=Services
/CN=(alpha|bravo|charlie).fnal.gov/CN=alpha.fnal.gov
/CN=bravo.fnal.gov/CN=charlie.fnal.gov
 
 Just to clarify this, so you need a multivalued CN, with one containing the
 expression (a|b|c) and the remaining containing each of a, b, and c?
 Is it multiple AVAs in an RDN, or multiple RDNs?   (Either of these could be
 hard to generate with a lot of software, which can't handle multiple AVAs in
 an RDN or multiple same-type RDNs).  Which hack is for MSIE and which is for
 Netscape?

Each CN is in a single-element RDN as usual. Netscape honors only the
first CN in the SubjectDN, but will treat it as a restricted regex
(shell-like * wildcard, alternation and grouping). IE checks the
server name against each CN's individually.

This was mainly determined by experimentation.  I think we did find a
limit on how long that first regex could be, but I don't remember
what it was.  Longer than my example, but short enough that some of
our bigger virtual-hosting servers were inconvenienced by it.

Openssl has no qualms about multiple same-type components.  You just
have to use the somewhat documented

0.commonName = ...
1.commonName = ...
2.commonName = ...

in the configuration file.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]