Re: [Cryptography] Sha3

2013-10-07 Thread Peter Fairbrother
function - and they have to be able to accept data and operations for more than one function as well, which opens up potential security holes. I could go on, but I hope you get the point already. -- Peter Fairbrother ___ The cryptography mailing list

Re: [Cryptography] Sha3

2013-10-07 Thread Peter Fairbrother
50% faster. (Now, whether my theory that we stuck with MD5 over SHA1 because variable field lengths are harder to parse in C -- that's an open question to say the least.) :) -- Peter Fairbrother ___ The cryptography mailing list cryptography

Re: [Cryptography] RSA equivalent key length/strength

2013-10-01 Thread Peter Fairbrother
these two actual and easily verifiable failings in a supposedly open generation process are enough to make the final groups selected useful for NSA's nefarious purposes. But there is a definite lack of clarity there. -- Peter Fairbrother

Re: [Cryptography] TLS2

2013-10-01 Thread Peter Fairbrother
a username and only three password attempts, and all your GPUs and ASIC farms are worth nothing. -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] AES-256- More NIST-y? paranoia

2013-10-01 Thread Peter Fairbrother
previously changed cipher specs under NSA guidance, most famously for DES, with apparently good intentions then - but with NSA and it's two-faced mission, we always have to look at capabilities, not intentions. -- Peter Fairbrother [and why doesn't AES-256 have 256-bit blocks

Re: [Cryptography] RSA equivalent key length/strength

2013-09-30 Thread Peter Fairbrother
On 26/09/13 07:52, ianG wrote: On 26/09/13 02:24 AM, Peter Fairbrother wrote: On 25/09/13 17:17, ianG wrote: On 24/09/13 19:23 PM, Kelly John Rose wrote: I have always approached that no encryption is better than bad encryption, otherwise the end user will feel more secure than they should

Re: [Cryptography] RSA equivalent key length/strength

2013-09-26 Thread Peter Fairbrother
it is storing right now against the day. [*] does anyone else think it odd that the benefit of introducing 1024-bit DHE, as opposed to 2048-bit RSA, is only active when the webserver has given or will give NSA the keys? Just why is this being considered for recommendation? Yes, stunt. -- Peter

Re: [Cryptography] forward-secrecy =2048-bit in legacy browser/servers? (Re: RSA equivalent key length/strength)

2013-09-26 Thread Peter Fairbrother
, Google, Microsoft, Mozilla - and the webservers - Apache, Microsoft, nginx - together and get them to agree we must all implement this before writing the RFC. -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http

Re: [Cryptography] RSA equivalent key length/strength

2013-09-24 Thread Peter Fairbrother
. And please please please don't call them all the same thing - because they aren't. But, the immediate question before the court of TLS now is - do we recommend a 1024-bit FS solution? And I for one cannot say that you should. In fact I would be horrified if you did. -- Peter Fairbrother

[Cryptography] RSA equivalent key length/strength

2013-09-14 Thread Peter Fairbrother
someone will build that sort of quantum computer one day, but they might. ] -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] RSA equivalent key length/strength

2013-09-14 Thread Peter Fairbrother
On 14/09/13 17:14, Perry E. Metzger wrote: On Sat, 14 Sep 2013 16:53:38 +0100 Peter Fairbrother zenadsl6...@zen.co.uk wrote: NIST also give the traditional recommendations, 80 - 1024 and 112 - 2048, plus 128 - 3072, 192 - 7680, 256 - 15360. [...] But, I wonder, where do these longer

Re: [Cryptography] Squaring Zooko's triangle

2013-09-11 Thread Peter Fairbrother
- on it's head. You don't write your email and fingerprint on the napkin - just the mash. -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] What TLS ciphersuites are still OK?

2013-09-10 Thread Peter Fairbrother
browsers don't make it easy to find out which suite is actually in use ... :( ] Hmmm, can a certificate have several keylengths to choose from? And, if the suite allows it, can a certificate have an RSA key for authentication and a different RSA key for session key setup (cf RIPA)? -- Peter

Re: [Cryptography] Squaring Zooko's triangle

2013-09-10 Thread Peter Fairbrother
On 10/09/13 05:38, James A. Donald wrote: On 2013-09-10 3:12 AM, Peter Fairbrother wrote: I like to look at it the other way round, retrieving the correct name for a key. You don't give someone your name, you give them an 80-bit key fingerprint. It looks something like m-NN4H-JS7Y-OTRH-GIRN

Re: [Cryptography] Thoughts about keys

2013-09-10 Thread Peter Fairbrother
On 10/09/13 10:00, Guido Witmond wrote: Hi Peter, We really have different designs. I'll comment inline. On 09/09/13 19:12, Peter Fairbrother wrote: On 09/09/13 13:08, Guido Witmond wrote: I like to look at it the other way round, retrieving the correct name for a key. You don't give

Re: [Cryptography] Thoughts about keys

2013-09-09 Thread Peter Fairbrother
available just now, so don't ask. ] -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] A Likely Story!

2013-09-09 Thread Peter Fairbrother
On 09/09/13 12:53, Alexander Klimov wrote: On Sun, 8 Sep 2013, Peter Fairbrother wrote: You can use any one of trillions of different elliptic curves,which should be chosen partly at random and partly so they are the right size and so on; but you can also start with some randomly-chosen

Re: [Cryptography] [cryptography] SSH uses secp256/384r1 which has the same parameters as what's in SEC2 which are the same the parameters as specified in SP800-90 for Dual EC DRBG!

2013-09-09 Thread Peter Fairbrother
that there is a whole lot of wiggle room between a cherry-picked c and the final curve. -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-06 Thread Peter Fairbrother
came in early to mid 2010. I'm still leaning towards RSA, but ... -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Peter Fairbrother
ciphers (and using two different KEMs) seems a lot more respectable now. -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: UK RIPA Pt 3

2007-07-05 Thread Peter Fairbrother
Peter Fairbrother wrote: The UK Home Office have just announced that they intend to bring the provisions of Pt 3 of the Regulation of Investigatory Powers Act 2000 into force on 1st October. This is the law that enables Policemen to demand keys to encrypted material, on pain of imprisonment

UK RIPA Pt 3

2007-07-05 Thread Peter Fairbrother
is a freeware live CD containing OS and applications, including an ephemerally keyed messaging service, and a steganographic file system. If anyone knows of any other technologies to defeat this coercive attack I would be glad to hear of them, and perhaps include them in m-o-o-t. -- Peter

Windows guru requested - Securing Windows

2006-06-07 Thread Peter Fairbrother
. Secret files should be saved to this fs. Thanks, -- Peter Fairbrother [EMAIL PROTECTED] http://www.m-o-o-t.org Moderated mailing list: [EMAIL PROTECTED] Notification of release: blank email to [EMAIL PROTECTED

Re: thoughts on one time pads

2006-01-31 Thread Peter Fairbrother
not? It costs nothing. -- Peter Fairbrother [1] the crypto variety of m-of-n splitting, but where m=n so you need all of the pieces to reconstruct any of the whole - not the RAID variety of m-of-n splitting, where you only need as much data as the original data. [2] Anne Widdecombe

Re: solving the wrong problem

2005-08-08 Thread Peter Fairbrother
Peter Gutmann wrote: Peter Fairbrother [EMAIL PROTECTED] writes: Perry E. Metzger wrote: Frequently, scientists who know nothing about security come up with ingenious ways to solve non-existent problems. Take this, for example: http://www.sciam.com/article.cfm?chanID=sa003articleID

Re: solving the wrong problem

2005-08-07 Thread Peter Fairbrother
on the missile rather than paper? -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: EMV

2005-07-11 Thread Peter Fairbrother
. Muggers and pickpockets keep a close eye out to see how fat your wallet is and where you keep it ... -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Peter Fairbrother
on the card ... and the issuer will still have a list of your transactions. Not having to show ID may save annoyance, but it doesn't significantly improve privacy. -- Peter Fairbrother - The Cryptography Mailing List

Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Peter Fairbrother
was going to be introduced worldwide. Anyone know more about that? -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: massive data theft at MasterCard processor

2005-06-20 Thread Peter Fairbrother
. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Article on passwords in Wired News

2004-06-07 Thread Peter Fairbrother
secure, or terribly one-time, but it would defeat a simple keylogger or shoulder surfing attack, for instance. It doesn't give me the warm fuzzies, but it does mean I would use a dodgy terminal at least once if I was stuck in the badlands (and then change passwords etc.). -- Peter Fairbrother

Re: safety of Pohlig-Hellman with a common modulus?

2003-12-07 Thread Peter Fairbrother
David Wagner wrote: Peter Fairbrother wrote: Not usually. In general index calculus attacks don't work on P-H, [...] Sure they do. If I have a known plaintext pair (M,C), where C = M^k (mod p), then with two discrete log computations I can compute k, since k = dlog_g(C)/dlog_g(M) (mod

Re: safety of Pohlig-Hellman with a common modulus?

2003-12-06 Thread Peter Fairbrother
Steve Bellovin wrote: Is it safe to use Pohlig-Hellman encryption with a common modulus? That is, I want various parties to have their own exponents, but share the same prime modulus. In my application, a chosen plaintext attack will be possible. (I know that RSA with common modulus is not

Re: safety of Pohlig-Hellman with a common modulus?

2003-12-06 Thread Peter Fairbrother
I wrote: Steve Bellovin wrote: Is it safe to use Pohlig-Hellman encryption with a common modulus? That is, I want various parties to have their own exponents, but share the same prime modulus. In my application, a chosen plaintext attack will be possible. (I know that RSA with common

Re: Searching for uncopyable key made of sparkles in plastic

2003-12-04 Thread Peter Fairbrother
if they were the same missiles. I don't know what the Russians did to the US missiles, but I think it was the same. -- Peter Fairbrother I hear that the emperor of china used to wear iron shoes with ease - The Cryptography Mailing

lockable trapdoor one-way function

2003-11-26 Thread Peter Fairbrother
Does anyone know of a trapdoor one-way function whose trapdoor can be locked after use? It can be done with secure hardware and/or distributed trust, just delete the trapdoor key, and prove (somehow?) you've deleted it. It looks hard to do in trust-the-math-only mode... -- Peter Fairbrother

Re: A-B-a-b encryption

2003-11-19 Thread Peter Fairbrother
. There are lots of things to watch out for in implementations. I'm trying to develop (or find? anyone?) a secure symmetric cipher which is a group, where if you know A and B you can find a key C that decrypts B(A(M)), but that's a different story. -- Peter Fairbrother

Re: quantum hype

2003-10-03 Thread Peter Fairbrother
[EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Howe Peter Fairbrother may well be in possession of a break for the QC hard problem - his last post stated there was a way to clone photons with high accuracy in retention of their polarization [SNIP

Re: quantum hype

2003-09-28 Thread Peter Fairbrother
more links on that later. *unless someone mentions non-linear transformations. Which is a different dispute really. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Re: Can Eve repeat?

2003-09-26 Thread Peter Fairbrother
it's impossible to clone. Perhaps it should be called somthing else. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: quantum hype

2003-09-22 Thread Peter Fairbrother
[EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Howe Peter Fairbrother may well be in possession of a break for the QC hard problem - his last post stated there was a way to clone photons with high accuracy in retention of their polarization [SNIP

Re: quantum hype

2003-09-21 Thread Peter Fairbrother
can send Bob data rather than generating a random shared secret, and without a separate channel, if she generates the quantum string using a preshared secret. Mallory can get 1/2 of the bits, but AONT's can defend against that, and if properly implemented no MitM is possible. And so on. -- Peter

Re: pubkeys for p and g

2003-06-27 Thread Peter Fairbrother
martin f krafft wrote: also sprach Peter Fairbrother [EMAIL PROTECTED] [2003.06.27.1903 +0200]: Can you give me a ref to where they say that? I'd like to know exactly what they are claiming. this will have to wait a couple of days. Perhaps they are encrypting the DH secrets with RSA keys