to work on that around 1998, they
might still have some of that design around.
--Paul Hoffman
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On 30 September 2013 23:35, John Kelsey crypto@gmail.com wrote:
If there is a weak curve class of greater than about 2^{80} that NSA knew
about 15 years ago and were sure nobody were ever going to find that weak
curve class and exploit it to break classified communications protected by
At a stretch, one can imagine circumstances in which trying multiple seeds
to choose a curve would lead to an attack that we would not easily
replicate. I don't suggest that this is really what happened; I'm just
trying to work out whether it's possible.
Suppose you can easily break an elliptic
Also see RFC 3766 from almost a decade ago; it has stood up fairly well.
--Paul Hoffman
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
[all your normal X.509 authentication stuff]
Merging these into one, is exactly why we got transport mode,
authenticated header,IKEv2 narrowing and a bunch of BTNS drafts no
one uses.
Stop making crypto harder!
Paul
___
The cryptography mailing list
From the title it sounds like you're talking about my 2007 proposal:
http://www.lshift.net/blog/2007/11/10/squaring-zookos-triangle
http://www.lshift.net/blog/2007/11/21/squaring-zookos-triangle-part-two
This uses key stretching to increase the work of generating a colliding
identifier from 2^64
technical arguments,
and not with video hype. And I'll gladly take the time to explain
things.
Paul
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On Sep 4, 2013, at 2:15 PM, Andy Steingruebl stein...@gmail.com wrote:
As of Jan-2014 CAs are forbidden from issuing/signing anything less than 2048
certs.
For some value of forbidden. :-)
--Paul Hoffman
___
The cryptography mailing list
(and requires an admin when it would reboot), yet
the Windows based VM's would need no disk encryption supported whatsoever.
My laptop for instance is running Fedora with whole disk encryption, and I
run various Windows VM's that have their image stored on that encrypted disk.
Paul
vendor keeps that key, usually in cert form, in its
trust anchor pile. You should not extrapolate *anything* from the contents of
the CA cert except the key itself and the proclaimed name associated with it.
--Paul Hoffman, Director
--VPN Consortium
At 5:33 PM -0400 9/14/10, Thor Lancelot Simon wrote:
On Tue, Sep 14, 2010 at 08:14:59AM -0700, Paul Hoffman wrote:
At 10:57 AM -0400 9/14/10, Perry E. Metzger did not write, but passed on for
someone else:
This suggests to me that even if NIST is correct that 2048 bit RSA
keys
.
It seems to be deciding on certs (not raw keys/hashes) to simplify and re-use
the existing TLS based implementations (eg HTTPS)
Paul
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord
in DNSSEC, a key can be rolled in a matter of hours
or days.
Paul
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
At 11:35 AM +1000 8/16/10, Arash Partow wrote:
Paul Hoffman wrote:
You are under the wrong impression, unless you are reading vastly different
crypto literature than the rest of us are. RSA-1024 *might* be possible to
break in public at some point in the next decade, and RSA-2048 is a few
are under the wrong impression, unless you are reading vastly different
crypto literature than the rest of us are. RSA-1024 *might* be possible to
break in public at some point in the next decade, and RSA-2048 is a few orders
of magnitude harder than that.
--Paul Hoffman, Director
--VPN Consortium
to reap the benefits from our new infrastructure.
Paul
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
a unique state (because
they might start within the same refresh. If you need that, you probably want
to automatically mix a microsecond-accurate time at the same time.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography
. So my question to the list: is this useful? Is this
doable with popular systems (e.g. Linux running on VMWare or VirtualBox)? Is
this actually being done?
Both xen and kvm do not do this currently. It is problematic for servers.
Paul
level. Requesting specific additional records will remove
the need for another latency driven DNS lookup to get more crypto information.
And obsolete the broken CA model while gaining improved support for SSL certs
by removing all those enduser warnings.
Paul
. 57.38 groestl256
20. 66.00 luffa512
21. 87.56 cubehash1632
22. 88.69 echo256
23. 93.56 shavite3512
24. 100.69 groestl512
25. 106.69 fugue256
26. 111.38 echo512
Regards,
--
Paul
paulcrossb...@123mail.org
--
http://www.fastmail.fm - Access all
Hi,
I've heard rumors of an attack on the SHA-2 family reducing complexity of
SHA256 to something less or equal of 112 bits.
This attack will apparently be announced in a few days - perhaps at Black Hat or
Def Con?
I would be interested in knowing more.
Paul
that there was not enough random left at all.
By saving the entropy from a longer run system at shutdown, you increase the
entropy of the next boot by adding randomness from the previous state(s)
Paul
-
The Cryptography Mailing List
/present/view?id=df9sn445_206ff3kn9gs
Great slides! The TOFU/POP is nice, and my favorite concept was to translate
every error message into a one sentence, easy-to-understand statement.
Paul Tiemann
(DigiCert)
-
The Cryptography
--it felt like my chance
to talk to a rock star.
All the best,
Paul Tiemann
(DigiCert)
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
that base themselves on CRL.
Paul Tiemann
(DigiCert)
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
, would the bad guy be able to backdate the
signature?
Paul Tiemann
(DigiCert)
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
operations from more perspectives than just
dollars and cents.
When I read that nist.gov link, the joke about the spherical cow popped into my
head.
Paul Tiemann
(DigiCert)
-
The Cryptography Mailing List
Unsubscribe by sending
money.
Looks like at least one site is out there: http://ie6update.com/ but has no
Paypal donate button, and doesn't offer newcomers the reasons they should
switch to something more modern.
Maybe this is too utopian. But laughing does work, sometimes.
Paul Tiemann
(DigiCert
around when this happened, but maybe revoking for Key compromise was
considered just as good. And maybe it's rare enough not to need its own
special if() statement in all the browsers. The browsers don't really do
different things based on the reason code anyway (to my knowledge)
Paul
not actually sure what the fix would be for this, or even if there is a
fix that needs to be made. Thus the hope to get it discussed on the list.
Well, if nothing else, the smaller certificates might at least help whatever
PKI library was getting the segv.
Paul Tiemann
(DigiCert
to participate in the discussion. We're very open to
considering the risks, and not afraid to make changes based on feedback like
this. From my call with Edgecast I can tell you they feel the same way, and
they're willing to make changes to improve.
All the best,
Paul Tiemann
CTO, DigiCert, Inc
On Fri, 16 Jul 2010, Taral wrote:
Neat, but not (yet) useful... only these TLDs have DS records:
The rest will follow soon. And it is not that you had to stop those
TLD trust anchors just now.
Several are using old SHA-1 hashes...
old ?
Paul
.
insert chide about your criticism of the exact shade of red used on the
curtains in the theater
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord
.
The article lists NIST having done tests, but does not mention any CPU model
where
this is on. Anyone knows?
Paul
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
with an HWRNG on die. It's been shipping
for years.
Paul
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
reduction to the discrete log problem in exactly the way that
Schnorr does.
--
__
\/ o\ Paul Crowley, p...@ciphergoth.org
/\__/ http://www.ciphergoth.org/
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
, and there is
money to be thrown down the drain^w^w^wat them, there will be active
development.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord
?
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
will
be a linear function.
--Paul
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
changes needed when one algorithm
fails is low. Later software updates that contain other changes can also
include new algorithms that are suspected to be good even if all of the
original ones fail.
--Paul Hoffman, Director
--VPN Consortium
At 7:10 PM -0700 8/19/09, james hughes wrote:
On Aug 19, 2009, at 3:28 PM, Paul Hoffman wrote:
I understand that creaking is not a technical cryptography term, but
certainly is. When do we become certain that devastating attacks on one
feature of hash functions (collision resistance) have any
without any hint of preimage attacks, the less
certain I am that collision attacks are even related to preimage attacks.
Of course, I still believe in hash algorithm agility: regardless of how
preimage attacks will be found, we need to be able to deal with them
immediately.
--Paul Hoffman
At 2:46 PM -0700 8/19/09, Greg Rose wrote:
...some summaries of some of the presentations...
More like this, please! The rump sessions have a lot of value (beyond the
often-strained attempts at humor).
--Paul Hoffman, Director
--VPN Consortium
At 7:54 AM -0600 7/18/09, Zooko Wilcox-O'Hearn wrote:
This involves deciding whether a 192-bit elliptic curve public key is strong
enough...
Why not just go with 256-bit EC (128-bit symmetric strength)? Is the 8 bytes
per signature the issue, or the extra compute time?
--Paul Hoffman, Director
At 11:09 PM +0200 7/14/09, Weger, B.M.M. de wrote:
Any other problems? Maybe something with key rollover or
interoperability?
Bingo. Key rollover has been thinly tested in relying parties.
--Paul Hoffman, Director
--VPN Consortium
definition, and they can't make MD6 work within that definition.
But that doesn't mean that NIST wouldn't have accepted the fast-enough MD6 with
a proof from someone else.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography
or not NIST would really rely on the
proofs. It was clear they didn't want to withdraw MD6, but that they felt like
they had to because of the speed requirement.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing
* 1024) of brute force? That is a
silly reduction; reducing it to anything less than the estimate for NFS (about
80 bits) is not useful. Or, can this attack be combined with NFS? Or...?
--Paul Hoffman, Director
--VPN Consortium
on this list used the book to teach a class? If so, did you create a
list of discussion questions? Or, do people know profs who have used the book
to teach? Any pointers are appreciated.
--Paul Hoffman
-
The Cryptography Mailing
on this list and in the press are sloppy about
security decisions that involve periods of time longer than about a year.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
At 6:02 PM +0200 5/8/09, R. Hirschfeld wrote:
Date: Tue, 5 May 2009 10:17:00 -0700
From: Paul Hoffman paul.hoff...@vpnc.org
the CA fixed the problem and researched all related problems that it
could find.
From what I've read of the incident (I think it's the one referred
to), Comodo
At 1:02 AM +1200 5/7/09, Peter Gutmann wrote:
Paul Hoffman paul.hoff...@vpnc.org writes:
Peter, you really need more detents on the knob for your hyperbole setting.
nothing happened is flat-out wrong: the CA fixed the problem and researched
all related problems that it could find. Perhaps you
should be ready to answer who will benefit from the punishment
and in what way should the CA be punished. (You don't have to answer these,
of course: you can just mete out punishment because it makes you feel good and
powerful. There is lots of history of that.)
--Paul Hoffman, Director
--VPN
At 6:44 PM -0400 5/5/09, Jerry Leichter wrote:
On May 5, 2009, at 1:17 PM, Paul Hoffman wrote:
...This leads to the question: if a CA in a trust anchor pile does something
wrong (terribly wrong, in this case) and fixes it, should they be punished?
If you say yes, you should be ready to answer
time seeing where the actual cryptography is specified. They mention
that they use AES but I can't see where they tell us what mode of
operation they are using.
--
__
\/ o\ Paul Crowley
/\__/ www.ciphergoth.org
on security issues.
http://gcn.com/articles/2009/01/23/obama-gets-super-secure-smartphone.aspx
I too would like to hear more information on this, particularly the crypto that
is known to be used on the Edge.
--Paul Hoffman, Director
--VPN Consortium
that there is a straight-line loss of bits, you would
have to be believing that the attack is much worse for SHA2/384 than it was for
SHA2/256 in order to bring the output down to the level that I need.
--Paul Hoffman, Director
--VPN Consortium
.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
?
--
__
\/ o\ Paul Crowley
/\__/ www.ciphergoth.org
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
the pain is avoided:
Yes+. That's why we designed IDNA that way.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
At 11:08 AM -0700 8/21/08, Greg Rose wrote:
Adi mentioned that the slides and paper will go online around the
deadline for Eurocrypt submission; it will all become much clearer
than my wounded explanations then.
There now: http://eprint.iacr.org/2008/385
--Paul Hoffman, Director
--VPN
is that people who have
more stake in the game (Mozilla Inc.) have spent longer thinking
about this than we give them credit for and come to the design
decisions that they have.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography
have similarly poor security. Knowing this, do you
wish to continue anyway?
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
application-wide? What are the (security-related) implications in each
case?
They can safely be chosen application-wide, so long as they are secure
choices as per the Group parameter agreement section of the SRP spec.
--
__
\/ o\ Paul Crowley, [EMAIL PROTECTED]
/\__/ http://www.ciphergoth.org
. However, glancing through the SSE5 specification, I
can't see at all how such a dramatic speedup might be achieved. Does
anyone know any more, or can anyone see more than I can in the spec?
http://developer.amd.com/cpu/SSE5/Pages/default.aspx
--
__
\/ o\ Paul Crowley
/\__/ www.ciphergoth.org
that is is quite expensive. I
suspect that nearly everyone in the country would be happy to pay an
additional $1/election for more reliable results.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
.
I understand most current browsers support OCSP.
...and only a tiny number of CAs do so.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
to above), code changes and a universal
rollout in all DNS software (which you allude to at the end), and
stable rollout of the DNSSEC trust anchor system in every significant
zone and all resolvers.
FWIW, only the latter has anything to do with this mailing list...
--Paul Hoffman, Director
make nearly as much difference as a diligent security expert with a
good name.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
of opacity.
So, I agree with Peter that that article is probably correct about protocols.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
uncomplicated, modulo initial setup.
And, if you want to host on FreeBSD instead of Linux, see
http://www.rootbsd.net/. Same price, good service.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe
At 10:25 AM +0100 5/15/08, Ben Laurie wrote:
Paul Hoffman wrote:
I'm confused about two statements here:
At 2:10 PM +0100 5/13/08, Ben Laurie wrote:
The result of this is that for the last two years (from Debian's
Edgy release until now), anyone doing pretty much any crypto on
Debian
More interesting threadage about the issue here:
http://taint.org/2008/05/13/153959a.html, particularly in the
comments.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending
? It
seems like a pretty flimsy straw man.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
that SSL/TLS can protect email
privacy,
That's not what I asked, of course.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
and the other two could wither over the ensuing
decades. If we're lucky.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
show anything, but I'm probably using the wrong terms. Do you have
references for this that I could have a look at?
Thanks,
--
Paul
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
from last week.
I watched the webcast of the rump session, and Christian Rechberger
said that they think they will get 2^60ish with a new technique. He
did not describe the technique in any detail. Offline, he has told me
that there will be papers published.
--Paul Hoffman, Director
--VPN
new cryptanalytic methods... sounds great, but is
meaningless without specifics.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
, or what.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
At 7:58 PM +1200 7/20/07, [EMAIL PROTECTED] wrote:
Paul Hoffman [EMAIL PROTECTED] writes:
At 2:45 AM +1200 7/20/07, [EMAIL PROTECTED] wrote:
|From a security point of view, this is really bad. From a
usability point of
|view, it's necessary.
As you can see from my list of proposed solutions
are about to put it back in.
Note that I did not criticize the practice of starting with a zillion
roots that Microsoft trusts.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending
the cost of the end
boxes for still-useful DH.
Oh, and all the above is ignoring that DH works over multiple hops of
different media, and quantum crypto doesn't (yet, maybe ever).
--Paul Hoffman, Director
--VPN Consortium
At 2:49 PM -0500 6/26/07, Nicolas Williams wrote:
On Fri, Jun 22, 2007 at 10:43:16AM -0700, Paul Hoffman wrote:
This was discussed many times, and always rejected as not good
enough by the purists. Then the IETF created the BTNS Working Group
which is spending huge amounts of time getting
this other actually secure stuff).
Whereas I was in the camp of liking the name very much for the very
reason that this thread was started: because it lets you encrypt an
arbitrary conversation with essentially no startup cost.
--Paul Hoffman, Director
--VPN Consortium
the attacker has the ability to perform 2^128 or
more operations, which he doesn't.
Which part of the word useless is not apparent here?
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending
by the purists. Then the IETF created the BTNS Working Group
which is spending huge amounts of time getting close to purity again.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
At 10:44 AM -0700 6/22/07, Ali, Saqib wrote:
...whereas the key distribution systems we have aren't affected by
eavesdropping unless the attacker has the ability to perform 2^128 or
more operations, which he doesn't.
Paul: Here you are assuming that key exchange has already taken place
years ago.
As far
as I know, there isn't even a way to store mail routing information in
X.509 certificates.
Why would you need to? SMTP-over-TLS only identifies the system to
whom you are speaking. No routing inforation is needed or wanted.
--Paul Hoffman, Director
--VPN Consortium
For the math weenies on the list, see the full announcement here:
http://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind0705L=nmbrthryT=0P=1019.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe
migration.
That's good of you not to expect it, given that zero of the major CAs
seem to support ECC certs today, and even if they did, those certs
would not work in IE on XP.
--Paul Hoffman, Director
--VPN Consortium
on those machines.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
professionals without
any negative consequences?
Because doing so can get things finished earlier and/or make a more
efficient protocol.
Same as it ever was.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
At 7:26 PM -0400 4/5/07, Thor Lancelot Simon wrote:
On Thu, Apr 05, 2007 at 07:32:09AM -0700, Paul Hoffman wrote:
Control: The root signing key only controls the contents of the root,
not any level below the root.
That is, of course, false,
This is, of course false. In order to control
At 7:54 PM -0400 4/5/07, Thor Lancelot Simon wrote:
On Thu, Apr 05, 2007 at 04:49:33PM -0700, Paul Hoffman wrote:
because, with it, one can sign the appropriate
chain of keys to forge records for any zone one likes.
If the owner of any key signs below their level, it is immediately
/ months will be spent finger-pointing instead of fixing.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
in the ISP community even before this event: many
are not sure they trust ICANN itself, much less its current sponsor.
Note that I'm not supporting the US signing the root in the least.
I'm just saying that predicting doom is grossly premature.
/anti-rant
--Paul Hoffman, Director
--VPN Consortium
after SHA-1 needs to stop being used.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
are in the second group. It looks like NIST sided with the
first group, but it will be interesting if the folks in the second
group are vocal during the coming few years.
--Paul Hoffman, Director
--VPN Consortium
it down one layer in the
stack. At least that way you'll know the security properties of what
you create.
--Paul Hoffman, Director
--VPN Consortium
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
1 - 100 of 125 matches
Mail list logo