### Re: [Cryptography] Sha3

function - and they have to be able to accept data and operations for more than one function as well, which opens up potential security holes. I could go on, but I hope you get the point already. -- Peter Fairbrother ___ The cryptography mailing list

### Re: [Cryptography] Sha3

50% faster. (Now, whether my theory that we stuck with MD5 over SHA1 because variable field lengths are harder to parse in C -- that's an open question to say the least.) :) -- Peter Fairbrother ___ The cryptography mailing list cryptography

### Re: [Cryptography] RSA equivalent key length/strength

these two actual and easily verifiable failings in a supposedly open generation process are enough to make the final groups selected useful for NSA's nefarious purposes. But there is a definite lack of clarity there. -- Peter Fairbrother

### Re: [Cryptography] TLS2

a username and only three password attempts, and all your GPUs and ASIC farms are worth nothing. -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### [Cryptography] AES-256- More NIST-y? paranoia

previously changed cipher specs under NSA guidance, most famously for DES, with apparently good intentions then - but with NSA and it's two-faced mission, we always have to look at capabilities, not intentions. -- Peter Fairbrother [and why doesn't AES-256 have 256-bit blocks

### Re: [Cryptography] RSA equivalent key length/strength

On 26/09/13 07:52, ianG wrote: On 26/09/13 02:24 AM, Peter Fairbrother wrote: On 25/09/13 17:17, ianG wrote: On 24/09/13 19:23 PM, Kelly John Rose wrote: I have always approached that no encryption is better than bad encryption, otherwise the end user will feel more secure than they should

### Re: [Cryptography] RSA equivalent key length/strength

it is storing right now against the day. [*] does anyone else think it odd that the benefit of introducing 1024-bit DHE, as opposed to 2048-bit RSA, is only active when the webserver has given or will give NSA the keys? Just why is this being considered for recommendation? Yes, stunt. -- Peter

### Re: [Cryptography] forward-secrecy =2048-bit in legacy browser/servers? (Re: RSA equivalent key length/strength)

, Google, Microsoft, Mozilla - and the webservers - Apache, Microsoft, nginx - together and get them to agree we must all implement this before writing the RFC. -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http

### Re: [Cryptography] RSA equivalent key length/strength

. And please please please don't call them all the same thing - because they aren't. But, the immediate question before the court of TLS now is - do we recommend a 1024-bit FS solution? And I for one cannot say that you should. In fact I would be horrified if you did. -- Peter Fairbrother

### [Cryptography] RSA equivalent key length/strength

someone will build that sort of quantum computer one day, but they might. ] -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] RSA equivalent key length/strength

On 14/09/13 17:14, Perry E. Metzger wrote: On Sat, 14 Sep 2013 16:53:38 +0100 Peter Fairbrother zenadsl6...@zen.co.uk wrote: NIST also give the traditional recommendations, 80 - 1024 and 112 - 2048, plus 128 - 3072, 192 - 7680, 256 - 15360. [...] But, I wonder, where do these longer

### Re: [Cryptography] Squaring Zooko's triangle

- on it's head. You don't write your email and fingerprint on the napkin - just the mash. -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] What TLS ciphersuites are still OK?

browsers don't make it easy to find out which suite is actually in use ... :( ] Hmmm, can a certificate have several keylengths to choose from? And, if the suite allows it, can a certificate have an RSA key for authentication and a different RSA key for session key setup (cf RIPA)? -- Peter

### Re: [Cryptography] Squaring Zooko's triangle

On 10/09/13 05:38, James A. Donald wrote: On 2013-09-10 3:12 AM, Peter Fairbrother wrote: I like to look at it the other way round, retrieving the correct name for a key. You don't give someone your name, you give them an 80-bit key fingerprint. It looks something like m-NN4H-JS7Y-OTRH-GIRN

### Re: [Cryptography] Thoughts about keys

On 10/09/13 10:00, Guido Witmond wrote: Hi Peter, We really have different designs. I'll comment inline. On 09/09/13 19:12, Peter Fairbrother wrote: On 09/09/13 13:08, Guido Witmond wrote: I like to look at it the other way round, retrieving the correct name for a key. You don't give

### Re: [Cryptography] Thoughts about keys

available just now, so don't ask. ] -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] A Likely Story!

On 09/09/13 12:53, Alexander Klimov wrote: On Sun, 8 Sep 2013, Peter Fairbrother wrote: You can use any one of trillions of different elliptic curves,which should be chosen partly at random and partly so they are the right size and so on; but you can also start with some randomly-chosen

### Re: [Cryptography] [cryptography] SSH uses secp256/384r1 which has the same parameters as what's in SEC2 which are the same the parameters as specified in SP800-90 for Dual EC DRBG!

that there is a whole lot of wiggle room between a cherry-picked c and the final curve. -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

came in early to mid 2010. I'm still leaning towards RSA, but ... -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

ciphers (and using two different KEMs) seems a lot more respectable now. -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: UK RIPA Pt 3

Peter Fairbrother wrote: The UK Home Office have just announced that they intend to bring the provisions of Pt 3 of the Regulation of Investigatory Powers Act 2000 into force on 1st October. This is the law that enables Policemen to demand keys to encrypted material, on pain of imprisonment

### UK RIPA Pt 3

is a freeware live CD containing OS and applications, including an ephemerally keyed messaging service, and a steganographic file system. If anyone knows of any other technologies to defeat this coercive attack I would be glad to hear of them, and perhaps include them in m-o-o-t. -- Peter

### Windows guru requested - Securing Windows

. Secret files should be saved to this fs. Thanks, -- Peter Fairbrother [EMAIL PROTECTED] http://www.m-o-o-t.org Moderated mailing list: [EMAIL PROTECTED] Notification of release: blank email to [EMAIL PROTECTED

### Re: thoughts on one time pads

not? It costs nothing. -- Peter Fairbrother [1] the crypto variety of m-of-n splitting, but where m=n so you need all of the pieces to reconstruct any of the whole - not the RAID variety of m-of-n splitting, where you only need as much data as the original data. [2] Anne Widdecombe

### Re: solving the wrong problem

Peter Gutmann wrote: Peter Fairbrother [EMAIL PROTECTED] writes: Perry E. Metzger wrote: Frequently, scientists who know nothing about security come up with ingenious ways to solve non-existent problems. Take this, for example: http://www.sciam.com/article.cfm?chanID=sa003articleID

### Re: solving the wrong problem

on the missile rather than paper? -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: EMV

. Muggers and pickpockets keep a close eye out to see how fat your wallet is and where you keep it ... -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Why Blockbuster looks at your ID.

on the card ... and the issuer will still have a list of your transactions. Not having to show ID may save annoyance, but it doesn't significantly improve privacy. -- Peter Fairbrother - The Cryptography Mailing List

### Re: Why Blockbuster looks at your ID.

was going to be introduced worldwide. Anyone know more about that? -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: massive data theft at MasterCard processor

. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Article on passwords in Wired News

secure, or terribly one-time, but it would defeat a simple keylogger or shoulder surfing attack, for instance. It doesn't give me the warm fuzzies, but it does mean I would use a dodgy terminal at least once if I was stuck in the badlands (and then change passwords etc.). -- Peter Fairbrother

### Re: safety of Pohlig-Hellman with a common modulus?

David Wagner wrote: Peter Fairbrother wrote: Not usually. In general index calculus attacks don't work on P-H, [...] Sure they do. If I have a known plaintext pair (M,C), where C = M^k (mod p), then with two discrete log computations I can compute k, since k = dlog_g(C)/dlog_g(M) (mod

### Re: safety of Pohlig-Hellman with a common modulus?

Steve Bellovin wrote: Is it safe to use Pohlig-Hellman encryption with a common modulus? That is, I want various parties to have their own exponents, but share the same prime modulus. In my application, a chosen plaintext attack will be possible. (I know that RSA with common modulus is not

### Re: safety of Pohlig-Hellman with a common modulus?

I wrote: Steve Bellovin wrote: Is it safe to use Pohlig-Hellman encryption with a common modulus? That is, I want various parties to have their own exponents, but share the same prime modulus. In my application, a chosen plaintext attack will be possible. (I know that RSA with common

### Re: Searching for uncopyable key made of sparkles in plastic

if they were the same missiles. I don't know what the Russians did to the US missiles, but I think it was the same. -- Peter Fairbrother I hear that the emperor of china used to wear iron shoes with ease - The Cryptography Mailing

### lockable trapdoor one-way function

Does anyone know of a trapdoor one-way function whose trapdoor can be locked after use? It can be done with secure hardware and/or distributed trust, just delete the trapdoor key, and prove (somehow?) you've deleted it. It looks hard to do in trust-the-math-only mode... -- Peter Fairbrother

### Re: A-B-a-b encryption

. There are lots of things to watch out for in implementations. I'm trying to develop (or find? anyone?) a secure symmetric cipher which is a group, where if you know A and B you can find a key C that decrypts B(A(M)), but that's a different story. -- Peter Fairbrother

### Re: quantum hype

[EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Howe Peter Fairbrother may well be in possession of a break for the QC hard problem - his last post stated there was a way to clone photons with high accuracy in retention of their polarization [SNIP

### Re: quantum hype

more links on that later. *unless someone mentions non-linear transformations. Which is a different dispute really. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

### Re: quantum hype

[EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Howe Peter Fairbrother may well be in possession of a break for the QC hard problem - his last post stated there was a way to clone photons with high accuracy in retention of their polarization [SNIP

### Re: quantum hype

can send Bob data rather than generating a random shared secret, and without a separate channel, if she generates the quantum string using a preshared secret. Mallory can get 1/2 of the bits, but AONT's can defend against that, and if properly implemented no MitM is possible. And so on. -- Peter

### Re: pubkeys for p and g

martin f krafft wrote: also sprach Peter Fairbrother [EMAIL PROTECTED] [2003.06.27.1903 +0200]: Can you give me a ref to where they say that? I'd like to know exactly what they are claiming. this will have to wait a couple of days. Perhaps they are encrypting the DH secrets with RSA keys