Re: [Cryptography] PGP Key Signing parties

2013-10-11 Thread Phillip Hallam-Baker
Reply to various, Yes, the value in a given key signing is weak, in fact every link in the web of trust is terribly weak. However, if you notarize and publish the links in CT fashion then I can show that they actually become very strong. I might not have good evidence of John Gilmore's key at

[Cryptography] Key stretching

2013-10-11 Thread Phillip Hallam-Baker
All, Quick question, anyone got a good scheme for key stretching? I have this scheme for managing private keys that involves storing them as encrypted PKCS#8 blobs in the cloud. AES128 seems a little on the weak side for this but there are (rare) circumstances where a user is going to need to

[Cryptography] Other Backdoors?

2013-10-10 Thread Phillip Hallam-Baker
I sarcastically proposed the use of GOST as an alternative to NIST crypto. Someone shot back a note saying the elliptic curves might be 'bent'. Might be interesting for EC to take another look at GOST since it might be the case that the GRU and the NSA both found a similar backdoor but one was

Re: [Cryptography] Iran and murder

2013-10-09 Thread Phillip Hallam-Baker
On Wed, Oct 9, 2013 at 12:44 AM, Tim Newsham tim.news...@gmail.com wrote: We are more vulnerable to widespread acceptance of these bad principles than almost anyone, ultimately, But doing all these things has won larger budgets and temporary successes for specific people and agencies

[Cryptography] The cost of National Security Letters

2013-10-09 Thread Phillip Hallam-Baker
One of the biggest problems with the current situation is that US technology companies have no ability to convince others that their equipment has not been compromised by a government mandated backdoor. This is imposing a significant and real cost on providers of outsourced Web Services and is

[Cryptography] PGP Key Signing parties

2013-10-09 Thread Phillip Hallam-Baker
Does PGP have any particular support for key signing parties built in or is this just something that has grown up as a practice of use? I am looking at different options for building a PKI for securing personal communications and it seems to me that the Key Party model could be improved on if

Re: [Cryptography] Elliptic curve question

2013-10-09 Thread Phillip Hallam-Baker
On Tue, Oct 8, 2013 at 4:14 PM, James A. Donald jam...@echeque.com wrote: On 2013-10-08 03:14, Phillip Hallam-Baker wrote: Are you planning to publish your signing key or your decryption key? Use of a key for one makes the other incompatible.� Incorrect. One's public key is always

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-07 Thread Phillip Hallam-Baker
On Sat, Oct 5, 2013 at 7:36 PM, James A. Donald jam...@echeque.com wrote: On 2013-10-04 23:57, Phillip Hallam-Baker wrote: Oh and it seems that someone has murdered the head of the IRG cyber effort. I condemn it without qualification. I endorse it without qualification. The IRG are bad

Re: [Cryptography] AES-256- More NIST-y? paranoia

2013-10-07 Thread Phillip Hallam-Baker
On Thu, Oct 3, 2013 at 12:21 PM, Jerry Leichter leich...@lrw.com wrote: On Oct 3, 2013, at 10:09 AM, Brian Gladman b...@gladman.plus.com wrote: Leaving aside the question of whether anyone weakened it, is it true that AES-256 provides comparable security to AES-128? I may be wrong about

Re: [Cryptography] Elliptic curve question

2013-10-07 Thread Phillip Hallam-Baker
On Mon, Oct 7, 2013 at 4:54 AM, Lay András and...@lay.hu wrote: Hi! I made a simple elliptic curve utility in command line PHP: https://github.com/LaySoft/ecc_phgp I know in the RSA, the sign is inverse operation of encrypt, so two different keypairs needs for encrypt and sign. In

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-07 Thread Phillip Hallam-Baker
On Sun, Oct 6, 2013 at 11:26 AM, John Kelsey crypto@gmail.com wrote: If we can't select ciphersuites that we are sure we will always be comfortable with (for at least some forseeable lifetime) then we urgently need the ability to *stop* using them at some point. The examples of MD5 and

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-05 Thread Phillip Hallam-Baker
On Thu, Oct 3, 2013 at 5:38 AM, Alan Braggins alan.bragg...@gmail.comwrote: On 02/10/13 18:42, Arnold Reinhold wrote: On 1 Oct 2013 23:48 Jerry Leichter wrote: The larger the construction project, the tighter the limits on this stuff. I used to work with a former structural engineer, and

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-05 Thread Phillip Hallam-Baker
On Fri, Oct 4, 2013 at 10:23 AM, John Kelsey crypto@gmail.com wrote: On Oct 4, 2013, at 10:10 AM, Phillip Hallam-Baker hal...@gmail.com wrote: ... Dobertin demonstrated a birthday attack on MD5 back in 1995 but it had no impact on the security of certificates issued using MD5 until

Re: [Cryptography] Sha3

2013-10-05 Thread Phillip Hallam-Baker
On Fri, Oct 4, 2013 at 12:27 AM, David Johnston d...@deadhat.com wrote: On 10/1/2013 2:34 AM, Ray Dillinger wrote: What I don't understand here is why the process of selecting a standard algorithm for cryptographic primitives is so highly focused on speed. ~ What makes you think Keccak is

Re: [Cryptography] check-summed keys in secret ciphers?

2013-10-05 Thread Phillip Hallam-Baker
On Mon, Sep 30, 2013 at 7:44 PM, arxlight arxli...@arx.li wrote: Just to close the circle on this: The Iranians used hundreds of carpet weavers (mostly women) to reconstruct a good portion of the shredded documents which they published (and I think continue to publish) eventually reaching

[Cryptography] A stealth redo on TLS with new encoding

2013-10-05 Thread Phillip Hallam-Baker
I think redoing TLS just to change the encoding format is to tilt at windmills. Same for HTTP (not a fan of CORE over DTLS), same for PKIX. But doing all three at once would actually make a lot of sense and I can see something like that actually happen. But only if the incremental cost of each

Re: [Cryptography] encoding formats should not be committee'ised

2013-10-03 Thread Phillip Hallam-Baker
On Thu, Oct 3, 2013 at 5:19 AM, ianG i...@iang.org wrote: On 3/10/13 00:37 AM, Dave Horsfall wrote: On Wed, 2 Oct 2013, Jerry Leichter wrote: Always keep in mind - when you argue for easy readability - that one of COBOL's design goals was for programs to be readable and understandable by

Re: [Cryptography] encoding formats should not be committee'ized

2013-10-02 Thread Phillip Hallam-Baker
Replying to James and John. Yes, the early ARPANET protocols are much better than many that are in binary formats. But the point where data encoding becomes an issue is where you have nested structures. SMTP does not have nested structures or need them. A lot of application protocols do. I have

Re: [Cryptography] RSA equivalent key length/strength

2013-09-28 Thread Phillip Hallam-Baker
On Fri, Sep 27, 2013 at 3:59 AM, John Gilmore g...@toad.com wrote: And the problem appears to be compounded by dofus legacy implementations that don't support PFS greater than 1024 bits. This comes from a misunderstanding that DH keysizes only need to be half the RSA length. So to go

Re: [Cryptography] The hypothetical random number generator backdoor

2013-09-25 Thread Phillip Hallam-Baker
On Tue, Sep 24, 2013 at 10:59 AM, Jerry Leichter leich...@lrw.com wrote: On Sep 22, 2013, at 8:09 PM, Phillip Hallam-Baker hal...@gmail.com wrote: I was thinking about this and it occurred to me that it is fairly easy to get a public SSL server to provide a client with a session key - just

Re: [Cryptography] RSA equivalent key length/strength

2013-09-25 Thread Phillip Hallam-Baker
On Sun, Sep 22, 2013 at 2:00 PM, Stephen Farrell stephen.farr...@cs.tcd.iewrote: On 09/22/2013 01:07 AM, Patrick Pelletier wrote: 1024 bits is enough for anyone That's a mischaracterisation I think. Some folks (incl. me) have said that 1024 DHE is arguably better that no PFS and if

[Cryptography] The hypothetical random number generator backdoor

2013-09-24 Thread Phillip Hallam-Baker
So we think there is 'some kind' of backdoor in a random number generator. One question is how the EC math might make that possible. Another is how might the door be opened. I was thinking about this and it occurred to me that it is fairly easy to get a public SSL server to provide a client with

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-21 Thread Phillip Hallam-Baker
On Thu, Sep 19, 2013 at 4:15 PM, Ben Laurie b...@links.org wrote: On 18 September 2013 21:47, Viktor Dukhovni cryptogra...@dukhovni.orgwrote: On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: This is only realistic with DANE TLSA (certificate usage 2 or 3), and thus will

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-21 Thread Phillip Hallam-Baker
On Thu, Sep 19, 2013 at 5:11 PM, Max Kington mking...@webhanger.com wrote: On 19 Sep 2013 19:11, Bill Frantz fra...@pwpconsult.com wrote: On 9/19/13 at 5:26 AM, rs...@akamai.com (Salz, Rich) wrote: I know I would be a lot more comfortable with a way to check the mail against a piece of

[Cryptography] InfoRequest: How to configure email clients to accept encrypted S/MIME

2013-09-21 Thread Phillip Hallam-Baker
Working on Prism Proof email, I could use information on how to configure various email clients to support S/MIME decryption using a previously generated key package. While descriptions of how the user can configure S/MIME would be nice, what I am really after is information on the internals so

Re: [Cryptography] RSA equivalent key length/strength

2013-09-19 Thread Phillip Hallam-Baker
On Wed, Sep 18, 2013 at 5:23 PM, Lucky Green shamr...@cypherpunks.towrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2013-09-14 08:53, Peter Fairbrother wrote: I get that 1024 bits is about on the edge, about equivalent to 80 bits or a little less, and may be crackable either now

[Cryptography] Cryptographic mailto: URI

2013-09-19 Thread Phillip Hallam-Baker
I am in mid design here but I think I might have something of interest. Let us say I want to send an email to al...@example.com securely. Now obviously (to me anyway) we can't teach more than a small fraction of the net to use any identifier other than the traditional email address. So we need

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Phillip Hallam-Baker
A few clarifications 1) PRISM-Proof is a marketing term I have not spent a great deal of time looking at the exact capabilities of PRISM vs the other programs involved because from a design point they are irrelevant. The objective is to harden/protect the infrastructure from any ubiquitous,

Re: [Cryptography] An NSA mathematician shares his from-the-trenches view of the agency's surveillance activities

2013-09-18 Thread Phillip Hallam-Baker
On Tue, Sep 17, 2013 at 8:01 PM, John Gilmore g...@toad.com wrote: Techdirt takes apart his statement here: https://www.techdirt.com/articles/20130917/02391824549/nsa-needs-to-give-its-rank-and-file-new-talking-points-defending-surveillance-old-ones-are-stale.shtml NSA Needs To Give Its

[Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-17 Thread Phillip Hallam-Baker
My phrase PRISM-Proofing seems to have created some interest in the press. PRISM-Hardening might be more important, especially in the short term. The objective of PRISM-hardening is not to prevent an attack absolutely, it is to increase the work factor for the attacker attempting ubiquitous

[Cryptography] End to end

2013-09-16 Thread Phillip Hallam-Baker
Just writing document two in the PRISM-Proof series. I probably have to change the name before November. Thinking about 'Privacy Protected' which has the same initials. People talk about end-to-end without talking about what they are. In most cases at least one end is a person or an

Re: [Cryptography] End to end

2013-09-16 Thread Phillip Hallam-Baker
On Mon, Sep 16, 2013 at 3:14 PM, Ben Laurie b...@links.org wrote: On 16 September 2013 18:49, Phillip Hallam-Baker hal...@gmail.com wrote: To me the important thing about transparency is that it is possible for anyone to audit the key signing process from publicly available information

Re: [Cryptography] MITM source patching [was Schneier got spooked]

2013-09-16 Thread Phillip Hallam-Baker
On Mon, Sep 16, 2013 at 2:48 PM, zooko zo...@zooko.com wrote: On Sun, Sep 08, 2013 at 08:28:27AM -0400, Phillip Hallam-Baker wrote: It think we need a different approach to source code management. Get rid of user authentication completely, passwords and SSH are both a fragile approach

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-11 Thread Phillip Hallam-Baker
On Wed, Sep 11, 2013 at 2:40 PM, Bill Stewart bill.stew...@pobox.comwrote: At 10:39 AM 9/11/2013, Phillip Hallam-Baker wrote: Perfect Forward Secrecy is not perfect. In fact it is no better than regular public key. The only difference is that if the public key system is cracked then with PFS

[Cryptography] Summary of the discussion so far

2013-09-11 Thread Phillip Hallam-Baker
I have attempted to produce a summary of the discussion so far for use as a requirements document for the PRISM-PROOF email scheme. This is now available as an Internet draft. http://www.ietf.org/id/draft-hallambaker-prismproof-req-00.txt I have left out acknowledgements and references at the

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-11 Thread Phillip Hallam-Baker
On Tue, Sep 10, 2013 at 3:56 PM, Bill Stewart bill.stew...@pobox.comwrote: At 11:33 AM 9/6/2013, Peter Fairbrother wrote: However, while the case for forward secrecy is easy to make, implementing it may be a little dangerous - if NSA have broken ECDH then using it only gives them plaintext

Re: [Cryptography] The One True Cipher Suite

2013-09-09 Thread Phillip Hallam-Baker
On Mon, Sep 9, 2013 at 3:58 AM, ianG i...@iang.org wrote: On 9/09/13 02:16 AM, james hughes wrote: I am honestly curious about the motivation not to choose more secure modes that are already in the suites? Something I wrote a bunch of years ago seems apropos, perhaps minimally as a

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Phillip Hallam-Baker
On Sat, Sep 7, 2013 at 8:53 PM, Gregory Perry gregory.pe...@govirtual.tvwrote: On 09/07/2013 07:52 PM, Jeffrey I. Schiller wrote: Security fails on the Internet for three important reasons, that have nothing to do with the IETF or the technology per-se (except for point 3). 1. There is

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Phillip Hallam-Baker
On Sat, Sep 7, 2013 at 10:35 PM, Gregory Perry gregory.pe...@govirtual.tvwrote: On 09/07/2013 09:59 PM, Phillip Hallam-Baker wrote: Anyone who thinks Jeff was an NSA mole when he was one of the main people behind the MIT version of PGP and the distribution of Kerberos is talking daft

Re: [Cryptography] MITM source patching [was Schneier got spooked]

2013-09-08 Thread Phillip Hallam-Baker
On Sun, Sep 8, 2013 at 1:42 AM, Tim Newsham tim.news...@gmail.com wrote: Jumping in to this a little late, but: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? A: (Schneier) Yes, I believe so.

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Phillip Hallam-Baker
On Sat, Sep 7, 2013 at 9:50 PM, John Gilmore g...@toad.com wrote: First, DNSSEC does not provide confidentiality. Given that, it's not clear to me why the NSA would try to stop or slow its deployment. DNSSEC authenticates keys that can be used to bootstrap confidentiality. And it does

[Cryptography] Trapdoor symmetric key

2013-09-08 Thread Phillip Hallam-Baker
Two caveats on the commentary about a symmetric key algorithm with a trapdoor being a public key algorithm. 1) The trapdoor need not be a good public key algorithm, it can be flawed in ways that would make it unsuited for use as a public key algorithm. For instance being able to compute the

Re: [Cryptography] Trapdoor symmetric key

2013-09-08 Thread Phillip Hallam-Baker
On Sun, Sep 8, 2013 at 12:19 PM, Faré fah...@gmail.com wrote: On Sun, Sep 8, 2013 at 9:42 AM, Phillip Hallam-Baker hal...@gmail.com wrote: Two caveats on the commentary about a symmetric key algorithm with a trapdoor being a public key algorithm. 1) The trapdoor need not be a good

Re: [Cryptography] Market demands for security (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-08 Thread Phillip Hallam-Baker
On Sun, Sep 8, 2013 at 3:08 PM, Perry E. Metzger pe...@piermont.com wrote: On Sun, 8 Sep 2013 08:40:38 -0400 Phillip Hallam-Baker hal...@gmail.com wrote: The Registrars are pure marketing operations. Other than GoDaddy which implemented DNSSEC because they are trying to sell the business

Re: [Cryptography] Protecting Private Keys

2013-09-07 Thread Phillip Hallam-Baker
On Sat, Sep 7, 2013 at 10:20 AM, Jeffrey I. Schiller j...@mit.edu wrote: If I was the NSA, I would be scavenging broken hardware from “interesting” venues and purchasing computers for sale in interesting locations. I would be particularly interested in stolen computers, as they have likely

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-07 Thread Phillip Hallam-Baker
On Sat, Sep 7, 2013 at 5:19 AM, ianG i...@iang.org wrote: On 7/09/13 10:15 AM, Gregory Perry wrote: Correct me if I am wrong, but in my humble opinion the original intent of the DNSSEC framework was to provide for cryptographic authenticity of the Domain Name Service, not for

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Phillip Hallam-Baker
OK how about this: If a person at Snowden's level in the NSA had any access to information that indicated the existence of any program which involved the successful cryptanalysis of any cipher regarded as 'strong' by this community then the Director of National Intelligence, the Director of the

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Phillip Hallam-Baker
On Thu, Sep 5, 2013 at 3:58 PM, Perry E. Metzger pe...@piermont.com wrote: I would like to open the floor to *informed speculation* about BULLRUN. Informed speculation means intelligent, technical ideas about what has been done. It does not mean wild conspiracy theories and the like. I will

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Phillip Hallam-Baker
On Thu, Sep 5, 2013 at 4:41 PM, Perry E. Metzger pe...@piermont.com wrote: On Thu, 5 Sep 2013 15:58:04 -0400 Perry E. Metzger pe...@piermont.com wrote: I would like to open the floor to *informed speculation* about BULLRUN. Here are a few guesses from me: 1) I would not be surprised if

Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)

2013-09-05 Thread Phillip Hallam-Baker
Sent from my difference engine On Sep 5, 2013, at 9:22 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: John Denker j...@av8n.com writes: To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were

Re: [Cryptography] Three kinds of hash: Two are still under ITAR.

2013-09-04 Thread Phillip Hallam-Baker
While doing some research on the history of hashing for a client I discovered that it is described in the very first edition of the ACM journal and the paper is a translation of a Russian paper. One of the many problems with the ITAR mindset is the assumption that all real ideas are invented

Re: [Cryptography] Hashes into Ciphers

2013-09-04 Thread Phillip Hallam-Baker
On a more theoretical basis, Phil Rogaway gave a presentation at MIT many years ago where he showed the use of a one-way function as the construction primitive for every other type of symmetric algorithm. -- Website: http://hallambaker.com/ ___ The

Re: [Cryptography] NSA and cryptanalysis

2013-09-03 Thread Phillip Hallam-Baker
On Tue, Sep 3, 2013 at 12:49 AM, Jon Callas j...@callas.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 2, 2013, at 3:06 PM, Jack Lloyd ll...@randombit.net wrote: On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote: a) The very reference you give says that

Re: [Cryptography] Keeping backups (was Re: Separating concerns

2013-09-03 Thread Phillip Hallam-Baker
Want to collaborate on an Internet Draft? This is obviously useful but it can only be made useful if everyone does it in the same way. On Tue, Sep 3, 2013 at 10:14 AM, Peter Gutmann pgut...@cs.auckland.ac.nzwrote: Phillip Hallam-Baker hal...@gmail.com writes: To backup the key we tell

Re: [Cryptography] Backup is completely separate

2013-09-03 Thread Phillip Hallam-Baker
On Mon, Sep 2, 2013 at 11:03 PM, John Kelsey crypto@gmail.com wrote: The backup access problem isn't just a crypto problem, it's a social/legal problem. There ultimately needs to be some outside mechanism for using social or legal means to ensure that, say, my kids can get access to at

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Phillip Hallam-Baker
On Sun, Sep 1, 2013 at 10:35 PM, James A. Donald jam...@echeque.com wrote: On 2013-09-01 9:11 PM, Jerry Leichter wrote: Meanwhile, on the authentication side, Stuxnet provided evidence that the secret community *does* have capabilities (to conduct a collision attacks) beyond those known to

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Phillip Hallam-Baker
You know, if there was a completely ironclad legal opinion that made use of ECC possible without the risk of a lawsuit costing over $2 million from Certicom then I would be happy to endorse a switch to ECC like the NSA is pushing for as well. I would not therefore draw the conclusion that NSA

Re: [Cryptography] Separating concerns

2013-08-29 Thread Phillip Hallam-Baker
On Thu, Aug 29, 2013 at 7:15 AM, Jerry Leichter leich...@lrw.com wrote: On Aug 28, 2013, at 2:04 PM, Faré wrote: My target audience, like Perry's is people who simply can't cope with anything more complex than an email address. For me secure mail has to look feel and smell exactly the same

Re: [Cryptography] IPv6 and IPSEC

2013-08-29 Thread Phillip Hallam-Baker
On Thu, Aug 29, 2013 at 1:59 PM, Taral tar...@gmail.com wrote: On Wed, Aug 28, 2013 at 12:08 PM, Lucky Green shamr...@cypherpunks.to wrote: Additional guidelines for IPv6 The sending IP must have a PTR record (i.e., a reverse DNS of the sending IP) and it should match the IP obtained via

Re: [Cryptography] Keeping backups (was Re: Separating concerns

2013-08-29 Thread Phillip Hallam-Baker
On Thu, Aug 29, 2013 at 1:30 PM, Perry E. Metzger pe...@piermont.comwrote: On Wed, 28 Aug 2013 20:04:34 +0200 Faré fah...@gmail.com wrote: One thing that irks me, though, is the problem of the robust, secure terminal: if everything is encrypted, how does one survive the

Re: [Cryptography] IPv6 and IPSEC

2013-08-29 Thread Phillip Hallam-Baker
, Aug 29, 2013 at 1:38 PM, Phillip Hallam-Baker hal...@gmail.com wrote: On Thu, Aug 29, 2013 at 1:59 PM, Taral tar...@gmail.com wrote: On Wed, Aug 28, 2013 at 12:08 PM, Lucky Green shamr...@cypherpunks.to wrote: Additional guidelines for IPv6 The sending IP must have a PTR

Re: [Cryptography] The Case for Formal Verification

2013-08-29 Thread Phillip Hallam-Baker
On Thu, Aug 29, 2013 at 4:46 PM, Perry E. Metzger pe...@piermont.comwrote: Taking a break from our discussion of new privacy enhancing protocols, I thought I'd share something I've been mumbling about in various private groups for a while. This is almost 100% on the security side of things,

Re: [Cryptography] Email and IM are ideal candidates for mix networks

2013-08-29 Thread Phillip Hallam-Baker
On Thu, Aug 29, 2013 at 3:31 PM, Callme Whatiwant nejuc...@gmail.comwrote: Hello, I'm new here, so I apologize if I'm repeating past arguments or asking old questions. On Tue, Aug 27, 2013 at 8:52 PM, Jerry Leichter leich...@lrw.com wrote: On Aug 27, 2013, at 9:48 PM, Perry E. Metzger

[Cryptography] Source for protocol compiler

2013-08-28 Thread Phillip Hallam-Baker
The source is up on sourceforge now. It does need some spring cleaning and documenting which I hope to get to next week. The documentation is in the following directory https://sourceforge.net/p/jsonschema/code/ci/master/tree/Web/ The origins of this work is that about 70% of the effort in

Re: [Cryptography] Email and IM are ideal candidates for mix networks

2013-08-27 Thread Phillip Hallam-Baker
On Tue, Aug 27, 2013 at 5:04 PM, Wendy M. Grossman wen...@pelicancrossing.net wrote: On 08/27/2013 18:34, ianG wrote: Why do we need the 1980s assumption of being able to send freely to everyone, anyway? It's clear you're not a journalist or working in any other profession where you

Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?

2013-08-27 Thread Phillip Hallam-Baker
On Tue, Aug 27, 2013 at 10:18 PM, Perry E. Metzger pe...@piermont.comwrote: On Tue, 27 Aug 2013 19:57:30 -0600 Peter Saint-Andre stpe...@stpeter.im wrote: On 8/27/13 7:47 PM, Jonathan Thornburg wrote: On Tue, 27 Aug 2013, Perry E. Metzger wrote: Say that you want to distribute a

Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?

2013-08-26 Thread Phillip Hallam-Baker
On Sun, Aug 25, 2013 at 7:42 PM, Christian Huitema huit...@huitema.netwrote: My knowledge of the field is pretty spotty in general as I've never paid much attention up until now -- mostly I know about how people have built DHTs in non-hostile environments. I'm close enough to starting

[Cryptography] Using Raspberry Pis

2013-08-26 Thread Phillip Hallam-Baker
I really like RPis as a cryptographic tool. The only thing that would make them better is a second Ethernet interface so they could be used as a firewall type device. However that said, the pros are: * Small, cheap, reasonably fast, has ethernet and even a monitor output * Boot from an SD card

Re: [Cryptography] Using Raspberry Pis

2013-08-26 Thread Phillip Hallam-Baker
On Mon, Aug 26, 2013 at 5:43 PM, Perry E. Metzger pe...@piermont.comwrote: On Mon, 26 Aug 2013 16:12:22 -0400 Phillip Hallam-Baker hal...@gmail.com wrote: I really like RPis as a cryptographic tool. The only thing that would make them better is a second Ethernet interface so they could

Re: [Cryptography] Traffic Analysis (was Re: PRISM PROOF Email)

2013-08-25 Thread Phillip Hallam-Baker
There has to be a layered approach. Traffic analysis is probably going to demand steganography and that is almost by definition outside standards work. The part of Prism that I consider to be blatantly unconstitutional is that they keep all the emails so that they can search them years later

Re: [Cryptography] What is the state of patents on elliptic curve cryptography?

2013-08-23 Thread Phillip Hallam-Baker
On Thu, Aug 22, 2013 at 1:20 AM, Daira Hopwood da...@jacaranda.org wrote: On 20/08/13 19:26, Phillip Hallam-Baker wrote: It is almost certain that most uses of EC would not infringe the remaining patents. But the patent holder can force anyone attempting to use them to spend about $3-5

Re: [Cryptography] PRISM PROOF Email

2013-08-23 Thread Phillip Hallam-Baker
On Fri, Aug 23, 2013 at 6:02 PM, Philip Whitehouse phi...@whiuk.com wrote: Let me just see if I get where you're going: So essentially you've increased the number of CAs to the number of companies without really solving the PRISM problem. The sheer number mean it's impractical to do much

Re: [Cryptography] PRISM PROOF Email

2013-08-23 Thread Phillip Hallam-Baker
On Fri, Aug 23, 2013 at 6:42 PM, Joe St Sauver j...@oregon.uoregon.eduwrote: I wouldn't take Snowden's alleged opsec practice, or lack thereof, as a demonstration proof that PGP and/or S/MIME are impossibly difficult for technical people (or even motivated NON-technical people) to use when

Re: [Cryptography] PRISM PROOF Email

2013-08-23 Thread Phillip Hallam-Baker
On Fri, Aug 23, 2013 at 3:34 PM, Ben Laurie b...@links.org wrote: On 22 August 2013 10:36, Phillip Hallam-Baker hal...@gmail.com wrote: Preventing key substitution will require a combination of the CT ideas proposed by Ben Laurie (so catenate proof notaries etc) and some form of 'no key

Re: [Cryptography] What is the state of patents on elliptic curve cryptography?

2013-08-21 Thread Phillip Hallam-Baker
It is almost certain that most uses of EC would not infringe the remaining patents. But the patent holder can force anyone attempting to use them to spend about $3-5 million to defend their right to use EC and so there is very little incentive to do so given that RSA 2048 is sufficient for almost

Re: [Cryptography] Snowden fabricated digital keys to get access to NSA servers?

2013-07-04 Thread Phillip Hallam-Baker
I think that fabricating a key here is more likely to mean fabricating an authentication 'key' rather than an encryption key. Alexander is talking to Congress and is deliberately being less than precise. So I would think in terms of application level vulnerabilities in Web based document servers.

Re: [Cryptography] Snowden fabricated digital keys to get access to NSA servers?

2013-07-04 Thread Phillip Hallam-Baker
I read an article today that claims one and a half million people have a Top Secret clearance. That kind of demonstrates how little Top Secret now means. On Sun, Jun 30, 2013 at 2:16 PM, Florian Weimer f...@deneb.enyo.de wrote: * John Gilmore: [John here. Let's try some speculation about