function -
and they have to be able to accept data and operations for more than one
function as well, which opens up potential security holes.
I could go on, but I hope you get the point already.
-- Peter Fairbrother
___
The cryptography mailing list
50% faster.
(Now, whether my theory that we stuck with MD5 over SHA1 because
variable field lengths are harder to parse in C -- that's an open
question to say the least.)
:)
-- Peter Fairbrother
___
The cryptography mailing list
cryptography
these two actual and easily
verifiable failings in a supposedly open generation process are enough
to make the final groups selected useful for NSA's nefarious purposes.
But there is a definite lack of clarity there.
-- Peter Fairbrother
a username and only three password
attempts, and all your GPUs and ASIC farms are worth nothing.
-- Peter Fairbrother
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
previously changed cipher specs under NSA guidance, most
famously for DES, with apparently good intentions then - but with NSA
and it's two-faced mission, we always have to look at capabilities, not
intentions.
-- Peter Fairbrother
[and why doesn't AES-256 have 256-bit blocks
On 26/09/13 07:52, ianG wrote:
On 26/09/13 02:24 AM, Peter Fairbrother wrote:
On 25/09/13 17:17, ianG wrote:
On 24/09/13 19:23 PM, Kelly John Rose wrote:
I have always approached that no encryption is better than bad
encryption, otherwise the end user will feel more secure than they
should
it is storing right now against the day.
[*] does anyone else think it odd that the benefit of introducing
1024-bit DHE, as opposed to 2048-bit RSA, is only active when the
webserver has given or will give NSA the keys? Just why is this being
considered for recommendation?
Yes, stunt.
-- Peter
, Google, Microsoft, Mozilla -
and the webservers - Apache, Microsoft, nginx - together and get them to
agree we must all implement this before writing the RFC.
-- Peter Fairbrother
___
The cryptography mailing list
cryptography@metzdowd.com
http
.
And please please please don't call them all the same thing - because
they aren't.
But, the immediate question before the court of TLS now is - do we
recommend a 1024-bit FS solution?
And I for one cannot say that you should. In fact I would be horrified
if you did.
-- Peter Fairbrother
someone will build that sort of quantum computer one day, but
they might. ]
-- Peter Fairbrother
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On 14/09/13 17:14, Perry E. Metzger wrote:
On Sat, 14 Sep 2013 16:53:38 +0100 Peter Fairbrother
zenadsl6...@zen.co.uk wrote:
NIST also give the traditional recommendations, 80 - 1024 and 112
- 2048, plus 128 - 3072, 192 - 7680, 256 - 15360.
[...]
But, I wonder, where do these longer
- on
it's head. You don't write your email and fingerprint on the napkin -
just the mash.
-- Peter Fairbrother
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
browsers don't make it
easy to find out which suite is actually in use ... :( ]
Hmmm, can a certificate have several keylengths to choose from? And, if
the suite allows it, can a certificate have an RSA key for
authentication and a different RSA key for session key setup (cf RIPA)?
-- Peter
On 10/09/13 05:38, James A. Donald wrote:
On 2013-09-10 3:12 AM, Peter Fairbrother wrote:
I like to look at it the other way round, retrieving the correct name
for a key.
You don't give someone your name, you give them an 80-bit key
fingerprint. It looks something like m-NN4H-JS7Y-OTRH-GIRN
On 10/09/13 10:00, Guido Witmond wrote:
Hi Peter,
We really have different designs. I'll comment inline.
On 09/09/13 19:12, Peter Fairbrother wrote:
On 09/09/13 13:08, Guido Witmond wrote:
I like to look at it the other way round, retrieving the correct
name for a key.
You don't give
available just now, so don't ask. ]
-- Peter Fairbrother
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On 09/09/13 12:53, Alexander Klimov wrote:
On Sun, 8 Sep 2013, Peter Fairbrother wrote:
You can use any one of trillions of different elliptic curves,which should be
chosen partly at random and partly so they are the right size and so on; but
you can also start with some randomly-chosen
that there is a whole lot of wiggle room between a cherry-picked c and
the final curve.
-- Peter Fairbrother
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
came in early to
mid 2010.
I'm still leaning towards RSA, but ...
-- Peter Fairbrother
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
ciphers (and using two
different KEMs) seems a lot more respectable now.
-- Peter Fairbrother
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
Peter Fairbrother wrote:
The UK Home Office have just announced that they intend to bring the
provisions of Pt 3 of the Regulation of Investigatory Powers Act 2000
into force on 1st October. This is the law that enables Policemen to
demand keys to encrypted material, on pain of imprisonment
is a freeware live CD
containing OS and applications, including an ephemerally keyed messaging
service, and a steganographic file system.
If anyone knows of any other technologies to defeat this coercive attack
I would be glad to hear of them, and perhaps include them in m-o-o-t.
-- Peter
. Secret files should be saved to
this fs.
Thanks,
--
Peter Fairbrother
[EMAIL PROTECTED]
http://www.m-o-o-t.org
Moderated mailing list: [EMAIL PROTECTED]
Notification of release: blank email to [EMAIL PROTECTED
not? It costs nothing.
--
Peter Fairbrother
[1] the crypto variety of m-of-n splitting, but where m=n so you need all of
the pieces to reconstruct any of the whole - not the RAID variety of m-of-n
splitting, where you only need as much data as the original data.
[2] Anne Widdecombe
Peter Gutmann wrote:
Peter Fairbrother [EMAIL PROTECTED] writes:
Perry E. Metzger wrote:
Frequently, scientists who know nothing about security come up with
ingenious ways to solve non-existent problems. Take this, for example:
http://www.sciam.com/article.cfm?chanID=sa003articleID
on the missile rather than paper?
--
Peter Fairbrother
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
.
Muggers and pickpockets keep a close eye out to see how fat your wallet is
and where you keep it ...
--
Peter Fairbrother
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
on the card ... and the issuer will still have
a list of your transactions.
Not having to show ID may save annoyance, but it doesn't significantly
improve privacy.
--
Peter Fairbrother
-
The Cryptography Mailing List
was
going to be introduced worldwide. Anyone know more about that?
--
Peter Fairbrother
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
.
--
Peter Fairbrother
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
secure, or terribly one-time, but it would defeat a simple
keylogger or shoulder surfing attack, for instance. It doesn't give me the
warm fuzzies, but it does mean I would use a dodgy terminal at least once if
I was stuck in the badlands (and then change passwords etc.).
--
Peter Fairbrother
David Wagner wrote:
Peter Fairbrother wrote:
Not usually. In general index calculus attacks don't work on P-H, [...]
Sure they do. If I have a known plaintext pair (M,C), where
C = M^k (mod p), then with two discrete log computations I can
compute k, since k = dlog_g(C)/dlog_g(M) (mod
Steve Bellovin wrote:
Is it safe to use Pohlig-Hellman encryption with a common modulus?
That is, I want various parties to have their own exponents, but share
the same prime modulus. In my application, a chosen plaintext attack
will be possible. (I know that RSA with common modulus is not
I wrote:
Steve Bellovin wrote:
Is it safe to use Pohlig-Hellman encryption with a common modulus?
That is, I want various parties to have their own exponents, but share
the same prime modulus. In my application, a chosen plaintext attack
will be possible. (I know that RSA with common
if
they were the same missiles.
I don't know what the Russians did to the US missiles, but I think it was
the same.
-- Peter Fairbrother
I hear that the emperor of china
used to wear iron shoes with ease
-
The Cryptography Mailing
Does anyone know of a trapdoor one-way function whose trapdoor can be locked
after use?
It can be done with secure hardware and/or distributed trust, just delete
the trapdoor key, and prove (somehow?) you've deleted it.
It looks hard to do in trust-the-math-only mode...
--
Peter Fairbrother
. There are lots of things to watch out
for in implementations.
I'm trying to develop (or find? anyone?) a secure symmetric cipher which is
a group, where if you know A and B you can find a key C that decrypts
B(A(M)), but that's a different story.
--
Peter Fairbrother
[EMAIL PROTECTED] wrote:
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dave Howe
Peter Fairbrother may well be in possession of a break for the QC hard
problem - his last post stated there was a way to clone photons with
high accuracy in retention of their polarization
[SNIP
more links on that later.
*unless someone mentions non-linear transformations. Which is a different
dispute really.
--
Peter Fairbrother
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
[EMAIL PROTECTED] wrote:
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dave Howe
Peter Fairbrother may well be in possession of a break for the QC hard
problem - his last post stated there was a way to clone photons with
high accuracy in retention of their polarization
[SNIP
can send Bob data rather than generating a random shared
secret, and without a separate channel, if she generates the quantum string
using a preshared secret. Mallory can get 1/2 of the bits, but AONT's can
defend against that, and if properly implemented no MitM is possible.
And so on.
--
Peter
martin f krafft wrote:
also sprach Peter Fairbrother [EMAIL PROTECTED] [2003.06.27.1903 +0200]:
Can you give me a ref to where they say that? I'd like to know
exactly what they are claiming.
this will have to wait a couple of days.
Perhaps they are encrypting the DH secrets with RSA keys
42 matches
Mail list logo
