[Cryptography] Ars Technica on the Taiwanese National ID smart card break

2013-09-17 Thread Perry E. Metzger
in Ars Technica: http://arstechnica.com/security/2013/09/fatal-crypto-flaw-in-some-government-certified-smartcards-makes-forgery-a-snap/ -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com

Re: [Cryptography] paranoid cryptoplumbing is a probably not defending the weakest point

2013-09-17 Thread Perry E. Metzger
(except for RC4) is (probably) not going to be your symmetric cipher. It will be protocol flaws and implementation flaws. No point in making the barn out of titanium if you're not going to put a door on it. Perry -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] Radioactive random numbers

2013-09-17 Thread Perry E. Metzger
On Tue, 17 Sep 2013 11:35:34 -0400 Perry E. Metzger pe...@piermont.com wrote: Added c...@panix.com -- if you want to re-submit this (and maybe not top post it) I will approve it... Gah! Accidentally forwarded that to the whole list, apologies. -- Perry E. Metzgerpe

[Cryptography] paranoid cryptoplumbing is a probably not defending the weakest point

2013-09-17 Thread Perry E. Metzger
for low performance applications to do something like Bill Frantz suggests. It is in the nature of people in our community to like playing with such things. Just don't take them *too* seriously please. Perry -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] Radioactive random numbers

2013-09-17 Thread Perry E. Metzger
ripping the chip apart. On 9/12/13 11:00 AM, Perry E. Metzger pe...@piermont.com wrote: On Wed, 11 Sep 2013 17:06:00 -0700 Tony Arcieri basc...@gmail.com wrote: It seems like Intel's approach of using thermal noise is fairly sound. Is there any reason why it isn't more widely adopted

[Cryptography] Ivan Ristić blog post on TLS best practices

2013-09-17 Thread Perry E. Metzger
Recommends phasing out RC4 among other things: http://blog.ivanristic.com/2013/09/updated-best-practices-deprecate-rc4.html -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http

Re: [Cryptography] The paranoid approach to crypto-plumbing

2013-09-17 Thread Perry E. Metzger
are unpredictable and do not repeat, it prevents a bad actor from using the IV as a covert channel. (Some would argue against using CBC mode entirely -- see Rogaway's paper on block cipher modes.) Perry -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] paranoid cryptoplumbing is a probably not defending the weakest point

2013-09-17 Thread Perry E. Metzger
rather than breaking the crypto: putting back doors in protocols, stealing keys, encouraging weak RNGs, adding flaws to hardware, etc. -- as well as doing active attacks using stolen or broken CA keys. I don't doubt that they archive everything they can forever, of course. Perry -- Perry E. Metzger

[Cryptography] Johns Hopkins round table on NSA and Crypto

2013-09-17 Thread Perry E. Metzger
Matthew Green tweeted earlier today that Johns Hopkins will be hosting a roundtable at 10am EDT tomorrow (Wednesday, September 18th) to discuss the NSA crypto revelations. Livestream will be at: https://connect.johnshopkins.edu/jhuisicrypto/ Perry -- Perry E. Metzgerpe

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-17 Thread Perry E. Metzger
keys, theft of RSA keys may very well be much easier in many cases than broader forms of sabotage. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman

Re: [Cryptography] A lot to learn from Business Records FISA NSA Review

2013-09-16 Thread Perry E. Metzger
the (not very usable) seLinux MAC (Multilevel Access Control) system, so clearly they do some hacking on security infrastructure. (I will not argue with the larger point though.) Perry -- Perry E. Metzgerpe...@piermont.com

[Cryptography] Apple and Certificate Pinning

2013-09-16 Thread Perry E. Metzger
I've not been able to figure out if Apple is using certificate pinning for its applications (including its update systems) that seem to use PKI. Does anyone know? -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list

[Cryptography] ADMIN: entropy of randomness discussion is falling...

2013-09-15 Thread Perry E. Metzger
of the couple thousand people reading along. I'd like to ask participants to please: 1) Write compactly but clearly. 2) Avoid repeating themselves. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list

[Cryptography] Key management, key storage. (was Re: prism proof email, namespaces, and anonymity)

2013-09-14 Thread Perry E. Metzger
.html In summary, I proposed a way you can map IDs to keys through pure long term observation/widely witnessed events. The idea is not original given that to some extent things like Certificate Transparency already do this in other domains. Perry -- Perry E. Metzgerpe

Re: [Cryptography] RSA equivalent key length/strength

2013-09-14 Thread Perry E. Metzger
in strength -- see the RFC itself for details. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] Quantum Computers for Shor's Algorithm (was Re: Perfection versus Forward Secrecy)

2013-09-14 Thread Perry E. Metzger
be welcome of course.) Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Quantum Computers for Shor's Algorithm (was Re: Perfection versus Forward Secrecy)

2013-09-14 Thread Perry E. Metzger
. It is of course possible that there's been secret research on this at NSA which has gotten far further, but I would expect that the manufacturing technology needed to do that would require a huge number of people to pull off, too many to keep quiet indefinitely. Perry -- Perry E. Metzgerpe

Re: [Cryptography] Stealthy Dopant-Level Hardware Trojans

2013-09-13 Thread Perry E. Metzger
chain. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] Security is a total system problem (was Re: Perfection versus Forward Secrecy)

2013-09-13 Thread Perry E. Metzger
E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Summary of the discussion so far

2013-09-13 Thread Perry E. Metzger
On Fri, 13 Sep 2013 15:46:58 -0500 Nico Williams n...@cryptonector.com wrote: On Fri, Sep 13, 2013 at 03:17:35PM -0400, Perry E. Metzger wrote: On Thu, 12 Sep 2013 14:53:28 -0500 Nico Williams n...@cryptonector.com wrote: Traffic analysis can't really be defeated, not in detail

Re: [Cryptography] prism proof email, namespaces, and anonymity

2013-09-13 Thread Perry E. Metzger
proposals. I agree this makes email delivered malware continue to be a bit of a problem, though you could only get it from your friends. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography

Re: [Cryptography] Radioactive random numbers

2013-09-12 Thread Perry E. Metzger
and that the design wasn't sabotaged. That's harder to do. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Radioactive random numbers

2013-09-12 Thread Perry E. Metzger
validate. Yes, this is hard. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] ADMIN: Please pick appropriate Subject lines...

2013-09-11 Thread Perry E. Metzger
.) Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of cooperative end-points, PFS doesn't help)

2013-09-11 Thread Perry E. Metzger
that depends on known plaintext, crib dragging (that is, trying all of the small number of possibilities) is easy. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com

[Cryptography] Killing two IV related birds with one stone

2013-09-11 Thread Perry E. Metzger
calculation. If you don't transmit the IVs at all but calculate them, the system will not interoperate if the implicit IVs aren't calculated the same way by both sides, thus ensuring that the covert channel is closed. Perry -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] Radioactive random numbers

2013-09-11 Thread Perry E. Metzger
be fabricated on chip and thus have nearly zero marginal cost. The huge disadvantage is that if your opponent can convince chip manufacturers to introduce small changes into their design, you're in trouble. Perry -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] Killing two IV related birds with one stone

2013-09-11 Thread Perry E. Metzger
give you an IV? Certainly, but if you remove most or all covert channels, you've narrowed the problem down to auditing the RNG instead of having to audit much more of the system. It is all a question of small steps towards better assurance. No one measure will fix everything. -- Perry E. Metzger

[Cryptography] Fw: how could ECC params be subverted other evidence

2013-09-10 Thread Perry E. Metzger
+0200 From: Adam Back a...@cypherspace.org To: Perry E. Metzger pe...@piermont.com Cc: Alexander Klimov alser...@inbox.ru, Cryptography List cryptography@metzdowd.com, Adam Back a...@cypherspace.org Subject: Re: [Cryptography] how could ECC params be subverted other evidence Perry wrote

[Cryptography] Reports: NSA, GCHQ used forged certs to impersonate Google

2013-09-10 Thread Perry E. Metzger
long. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Techniques for malevolent crypto hardware

2013-09-10 Thread Perry E. Metzger
On Sun, 8 Sep 2013 15:22:32 -0400 Perry E. Metzger pe...@piermont.com wrote: Ah, now *this* is potentially interesting. Imagine if you have a crypto accelerator that generates its IVs by encrypting information about keys in use using a key an observer might have or could guess from a small

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-10 Thread Perry E. Metzger
precisely this attack. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Fw: how could ECC params be subverted other evidence

2013-09-10 Thread Perry E. Metzger
in standards work any longer. A set of short sighted, foolish decisions have created tragedy for all. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo

Re: [Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of cooperative end-points, PFS doesn't help)

2013-09-10 Thread Perry E. Metzger
), and have enough key material, a second key might be of value for that -- but I don't know what all the ins and outs are, and would prefer to read the literature... Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing

Re: [Cryptography] AES state of the art...

2013-09-09 Thread Perry E. Metzger
On Mon, 9 Sep 2013 14:18:41 +0300 Alexander Klimov alser...@inbox.ru wrote: On Sun, 8 Sep 2013, Perry E. Metzger wrote: What's the current state of the art of attacks against AES? Is the advice that AES-128 is (slightly) more secure than AES-256, at least in theory, still current? I am

[Cryptography] ADMIN: traffic levels

2013-09-09 Thread Perry E. Metzger
E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Random number generation influenced, HW RNG

2013-09-09 Thread Perry E. Metzger
for saying this, in an environment where the NSA is spending $250M a year to undermine efforts like your own it is impossible for third parties to trust black boxes any longer. I think you may not have absorbed that what a week or two ago was a paranoid fantasy turns out to be true. Perry -- Perry E

Re: [Cryptography] how could ECC params be subverted other evidence

2013-09-09 Thread Perry E. Metzger
On Tue, 10 Sep 2013 00:23:51 +0200 Adam Back a...@cypherspace.org wrote: On Mon, Sep 09, 2013 at 06:03:14PM -0400, Perry E. Metzger wrote: On Mon, 9 Sep 2013 14:07:58 +0300 Alexander Klimov wrote: No. They are widely used curves and thus a good way to reduce conspiracy theories

Re: [Cryptography] [cryptography] SSH uses secp256/384r1 which has the same parameters as what's in SEC2 which are the same the parameters as specified in SP800-90 for Dual EC DRBG!

2013-09-09 Thread Perry E. Metzger
, a week ago this was paranoia, but now we have confirmation, so it is no longer paranoia. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo

Re: [Cryptography] [cryptography] SSH uses secp256/384r1 which has the same parameters as what's in SEC2 which are the same the parameters as specified in SP800-90 for Dual EC DRBG!

2013-09-09 Thread Perry E. Metzger
On Tue, 10 Sep 2013 00:25:20 +0100 Peter Fairbrother zenadsl6...@zen.co.uk wrote: On 09/09/13 23:03, Perry E. Metzger wrote: On Mon, 9 Sep 2013, Daniel wrote: [...] They are widely used curves and thus a good way to reduce conspiracy theories that they were chosen in some malicious way

[Cryptography] Why are some protocols hard to deploy? (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-08 Thread Perry E. Metzger
that it has acted as an enormous tar baby. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] Impossible trapdoor systems (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-08 Thread Perry E. Metzger
the corresponding plaintext when any given ciphertext might correspond to many, many different plaintexts depending on the key. That's clearly not something you can do. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography

Re: [Cryptography] Techniques for malevolent crypto hardware

2013-09-08 Thread Perry E. Metzger
On Sun, 8 Sep 2013 15:55:52 -0400 Thor Lancelot Simon t...@rek.tjls.com wrote: On Sun, Sep 08, 2013 at 03:22:32PM -0400, Perry E. Metzger wrote: Ah, now *this* is potentially interesting. Imagine if you have a crypto accelerator that generates its IVs by encrypting information about keys

[Cryptography] AES state of the art...

2013-09-08 Thread Perry E. Metzger
What's the current state of the art of attacks against AES? Is the advice that AES-128 is (slightly) more secure than AES-256, at least in theory, still current? (I'm also curious as to whether anyone has ever proposed fixes to the weaknesses in the key schedule...) Perry -- Perry E. Metzger

[Cryptography] Paper on Tor deanonymization: Users Get Routed

2013-09-08 Thread Perry E. Metzger
. This clearly shows the dramatic effect an adversary that controls multiple ASes can have on security. Disclaimer: one of the authors (Micah Sherr) is a doctoral brother. Perry -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] Techniques for malevolent crypto hardware

2013-09-08 Thread Perry E. Metzger
should worry about anyway. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] Does NSA break in to endpoints (was Re: Bruce Schneier has gotten seriously spooked)

2013-09-07 Thread Perry E. Metzger
On Sat, 07 Sep 2013 09:33:28 +0100 Brian Gladman b...@gladman.plus.com wrote: On 07/09/2013 01:48, Chris Palmer wrote: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? Why would they perform the attack

[Cryptography] ADMIN: Volume, top posting, trimming, SUBJECT LINES

2013-09-07 Thread Perry E. Metzger
1) Volume has gotten understandably high the last few days given the current news. I'd like people to please consider if their posting conveys interesting information before sending. 2) Please adjust the Subject lines of your messages if your posting deviates from the original Subject. This makes

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Perry E. Metzger
On Sat, 07 Sep 2013 13:01:53 -0700 Ray Dillinger b...@sonic.net wrote: I think we can no longer rule out the possibility that some attacker somewhere (it's easy to point a finger at the NSA but it could be just as likely pointed at GCHQ or the IDF or Interpol) may have secretly developed a

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Perry E. Metzger
On Sat, 7 Sep 2013 13:06:14 -0700 Tony Arcieri basc...@gmail.com wrote: In order to beat quantum computers, we need to use public key systems with no (known) quantum attacks, such as lattice-based (NTRU) or code-based (McEliece/McBits) algorithms. ECC and RSA will no longer be useful. I'm

[Cryptography] Replacing CAs (was Re: Why prefer symmetric crypto over public key crypto?)

2013-09-07 Thread Perry E. Metzger
On Sat, 7 Sep 2013 17:46:39 -0400 Derrell Piper d...@electric-loft.org wrote: On Sep 6, 2013, at 11:51 PM, Marcus D. Leech mle...@ripnet.com wrote: The other thing that I find to be a dirty little secret in PK systems is revocation. OCSP makes things, in some ways, better than CRLs,

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-07 Thread Perry E. Metzger
On Sat, 7 Sep 2013 20:43:39 -0400 I wrote: To my knowledge, there is no ECC analog of Shor's algorithm. ...and it appears I was completely wrong on that. See, for example: http://arxiv.org/abs/quantph/0301141 Senility gets the best of us. Perry ___

Re: [Cryptography] Can you backdoor a symmetric cipher

2013-09-06 Thread Perry E. Metzger
On Thu, 5 Sep 2013 21:42:29 -0700 Jon Callas j...@callas.org wrote: On Sep 5, 2013, at 9:33 PM, Perry E. Metzger pe...@piermont.com wrote: It is probably very difficult, possibly impossible in practice, to backdoor a symmetric cipher. For evidence, I direct you to this old paper

[Cryptography] Aside on random numbers (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-06 Thread Perry E. Metzger
this, but of course the phone is not exactly a secure platform to begin with... Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] Sabotaged hardware (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-06 Thread Perry E. Metzger
of users. Random number generator flaws would seem like an obvious possibility here. This is especially disturbing because other actors can now start doing teardowns on a wide variety of such devices looking to find the flaws so they can themselves attack the traffic in question. Perry -- Perry E

[Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-06 Thread Perry E. Metzger
that some voices will say additional delay harms user experience. Such voices should be ruthlessly ignored. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread Perry E. Metzger
On Fri, 6 Sep 2013 18:18:05 +0100 Ben Laurie b...@links.org wrote: On 6 September 2013 18:13, Perry E. Metzger pe...@piermont.com wrote: Google is also now (I believe) using PFS on their connections, and they handle more traffic than anyone. A connection I just made to https

[Cryptography] 1024 bit DH still common in Tor network

2013-09-06 Thread Perry E. Metzger
like it would be valuable for most Tor nodes to be running newer software anyway. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Perry E. Metzger
, but presumably it was far from the only target. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread Perry E. Metzger
doing so without realizing they're harming internet security, but we can no longer presume that is the motive.) Chrome handles 1.2, there is no longer any real excuse for the others not to do the same. Perry -- Perry E. Metzgerpe...@piermont.com

[Cryptography] Bruce Schneier calls for independent prosecutor to investigate NSA

2013-09-06 Thread Perry E. Metzger
no credibility, and -- the real problem -- no way for us to verify anything these people might say. https://www.schneier.com/blog/archives/2013/09/conspiracy_theo_1.html -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list

[Cryptography] Washington Post: Google racing to encrypt links between data centers

2013-09-06 Thread Perry E. Metzger
://www.washingtonpost.com/business/technology/google-encrypts-data-amid-backlash-against-nsa-spying/2013/09/06/9acc3c20-1722-11e3-a2ec-b47e45e6f8ef_story.html -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography

[Cryptography] Matthew Green on BULLRUN

2013-09-06 Thread Perry E. Metzger
Some interesting nuggets here, including the fact that he explicitly calls out the existence of NSA's new HUMINT division that infiltrates corporations for a living. http://blog.cryptographyengineering.com/2013/09/on-nsa.html -- Perry E. Metzgerpe...@piermont.com

[Cryptography] ADMIN: Reminder, yet again...

2013-09-06 Thread Perry E. Metzger
a one liner followed by a 75 line intact original, be prepared to see a rejection message. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo

[Cryptography] NYTimes: Legislation Seeks to Bar N.S.A. Tactic in Encryption

2013-09-06 Thread Perry E. Metzger
-in-encryption.html -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] ADMIN: Please, please, please don't top post.

2013-09-05 Thread Perry E. Metzger
I hate to ask this yet again, but: Please, please, please don't top post. Please, please, please edit down your replies. If your mobile device, say, doesn't let you do otherwise, it can probably wait half an hour until you get to a machine with a keyboard. -- Perry E. Metzger

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
interest. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
inappropriate material. At the same time, I will repeat that reasonably informed technical speculation is appropriate, as is any solid information available. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
On Thu, 5 Sep 2013 16:53:15 -0400 Perry E. Metzger pe...@piermont.com wrote: Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed

[Cryptography] The Guardian: US and UK spy agencies defeat privacy and security on the internet

2013-09-05 Thread Perry E. Metzger
be indecipherable to criminals or governments http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
not to feel overly strongly that this is what happened, but it does lead one to wonder strongly. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
On Thu, 5 Sep 2013 15:58:04 -0400 Perry E. Metzger pe...@piermont.com wrote: I would like to open the floor to *informed speculation* about BULLRUN. Here are a few guesses from me: 1) I would not be surprised if it turned out that some people working for some vendors have made code

[Cryptography] Bruce Schneier in The Guardian on BULLRUN etc.

2013-09-05 Thread Perry E. Metzger
Quite worth reading. There is some speculation in there about various weaknesses that may have been added as well. http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance -- Perry E. Metzgerpe...@piermont.com

[Cryptography] NY Times: NSA Foils Much Internet Encryption

2013-09-05 Thread Perry E. Metzger
searches, Internet chats and phone calls of Americans and others around the world, the documents show. http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
that it is impossible that they can break 3DES at this point, but it doesn't sound like that's what is being discussed here. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http

[Cryptography] Is ECC suspicious?

2013-09-05 Thread Perry E. Metzger
, but is it an actual worry in other contexts? I tend not to believe that but I'm curious about opinions. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com

Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)

2013-09-05 Thread Perry E. Metzger
Denning's old report on that for a reminder. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] ADMIN: less Snowden, more Crypto

2013-09-05 Thread Perry E. Metzger
or to something similarly worthwhile. Yes, this is irresistible gossip for many of us, but I don't know that it is interesting beyond that, and our traffic levels are quite high right now already. Perry -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
On Fri, 06 Sep 2013 12:13:48 +1200 Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Perry E. Metzger pe...@piermont.com writes: I would like to open the floor to *informed speculation* about BULLRUN. Not informed since I don't work for them, but a connect-the-dots: 1. ECDSA/ECDH (and DLP

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Perry E. Metzger
On Fri, 06 Sep 2013 13:50:54 +1200 Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Perry E. Metzger pe...@piermont.com writes: Does that make them NSA plants? There's drafts for one or two more fairly basic fixes to significant problems from other people that get stalled forever, while

[Cryptography] Can you backdoor a symmetric cipher (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-05 Thread Perry E. Metzger
to this old paper by Blaze, Feigenbaum and Leighton: http://www.crypto.com/papers/mkcs.pdf Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo

[Cryptography] Hashes into Ciphers (was Re: FIPS, NIST and ITAR questions)

2013-09-04 Thread Perry E. Metzger
tell, such ciphers are actually quite secure, though impractically slow. Pointers to his original sci.crypt posting would be appreciated, I wasn't able to find it with a quick search. Perry -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] IPv6 and IPSEC

2013-09-04 Thread Perry E. Metzger
the scope of the list. There are a bunch of google people on the mailing list, perhaps one or more of them might want to contact Lucky in private and see if they can help him with his question. Perry -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] Hashes into Ciphers

2013-09-04 Thread Perry E. Metzger
On Wed, 4 Sep 2013 10:37:12 -0400 Perry E. Metzger pe...@piermont.com wrote: Phil Karn described a construction for turning any hash function into the core of a Feistel cipher in 1991. So far as I can tell, such ciphers are actually quite secure, though impractically slow. Pointers to his

Re: [Cryptography] Thoughts about keys

2013-09-02 Thread Perry E. Metzger
-- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Perry E. Metzger
that factoring and discrete logs over the integers aren't as hard as people had thought. Not at all, and the rationale is public and seen above. I believe you're incorrectly claiming that we know much less than we actually do here. Perry -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] Thoughts about keys

2013-09-02 Thread Perry E. Metzger
On Mon, 2 Sep 2013 19:53:03 +0200 Faré fah...@gmail.com wrote: On Mon, Sep 2, 2013 at 7:19 PM, Perry E. Metzger pe...@piermont.com wrote: On Mon, 2 Sep 2013 03:00:42 +0200 Faré fah...@gmail.com wrote: At intervals, the trustworthy organization (and others like it) can send out email

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Perry E. Metzger
On Mon, 2 Sep 2013 15:09:31 -0400 Jerry Leichter leich...@lrw.com wrote: On Sep 2, 2013, at 1:25 PM, Perry E. Metzger wrote: On Mon, 2 Sep 2013 00:06:21 -0400 Jerry Leichter leich...@lrw.com wrote: - To let's look at what they want for TOP SECRET. First off, RSA - accepted

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Perry E. Metzger
with strong typing to be preserved in the delivered machine code in the first place.) I leave speculation to pundits, and prefer to write code and design protocols. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Perry E. Metzger
are something you can actually do something about.) Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Perry E. Metzger
, proof carrying code, microkernels, hardware assists, formal verification... in the hopes that the mumbling might set some minds thinking. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography

Re: [Cryptography] NSA and cryptanalysis

2013-09-01 Thread Perry E. Metzger
speculation on the basis of no actual concrete information isn't that productive. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] NSA and cryptanalysis

2013-09-01 Thread Perry E. Metzger
On Sun, 1 Sep 2013 07:11:06 -0400 Jerry Leichter leich...@lrw.com wrote: Meanwhile, just what evidence do we really have that AES is secure? The fact that the USG likes using it, too. That's also evidence for eliptic curve techniques btw. Perry -- Perry E. Metzgerpe

Re: [Cryptography] NSA and cryptanalysis

2013-09-01 Thread Perry E. Metzger
On Sun, 1 Sep 2013 16:33:56 -0400 Jerry Leichter leich...@lrw.com wrote: On Sep 1, 2013, at 2:11 PM, Perry E. Metzger wrote: On Sun, 1 Sep 2013 07:11:06 -0400 Jerry Leichter leich...@lrw.com wrote: Meanwhile, just what evidence do we really have that AES is secure? The fact

[Cryptography] Keeping backups (was Re: Separating concerns

2013-08-29 Thread Perry E. Metzger
have non-technical friends who use it and are totally happy with the results. I wish there was an automated thing in Time Machine to let me trade backups with an offsite friend as well. Perry -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)

2013-08-29 Thread Perry E. Metzger
On Thu, 29 Aug 2013 01:18:59 +1000 (EST) Dave Horsfall d...@horsfall.org wrote: On Wed, 28 Aug 2013, Perry E. Metzger wrote: Anyway, I've already started implementing my proposed solution to that part of the problem. There is still a need for a distributed database to handle the lookup

Re: [Cryptography] Why not the DNS? (was Re: Implementations, attacks on DHTs, Mix Nets?)

2013-08-29 Thread Perry E. Metzger
On Wed, 28 Aug 2013 10:43:24 -0400 Jerry Leichter leich...@lrw.com wrote: On Aug 28, 2013, at 8:34 AM, Perry E. Metzger wrote: On Tue, 27 Aug 2013 23:39:51 -0400 Jerry Leichter leich...@lrw.com wrote: It's not as if this isn't a design we have that we know works: DNS. Read what I said

[Cryptography] The Case for Formal Verification

2013-08-29 Thread Perry E. Metzger
it be nice to make some progress in the other direction? Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] Why not the DNS? (was Re: Implementations, attacks on DHTs, Mix Nets?)

2013-08-28 Thread Perry E. Metzger
understand why people would want to do it that way. It is not, however, practical if one wants to deploy in months and not decades, and it makes trust entirely hierarchical. Perry -- Perry E. Metzgerpe...@piermont.com

[Cryptography] human readable IDs, revokable keys (Re: Email and IM are ideal candidates for mix networks)

2013-08-28 Thread Perry E. Metzger
in the first of my three messages on my proposed new model -- it also happens to handle revocation reasonably well (though imperfectly). Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http

  1   2   3   4   5   6   7   >