Re: [Cryptography] Key stretching

2013-10-13 Thread Ray Dillinger
On 10/11/2013 11:22 AM, Jerry Leichter wrote: 1. Brute force. No public key-stretching algorithm can help, since the attacker will brute-force the k's, computing the corresponding K's as he goes. There is a completely impractical solution for this which is applicable in a very few

[Cryptography] Broken RNG renders gov't-issued smartcards easily hackable.

2013-10-11 Thread Ray Dillinger
Saw this on Arstechnica today and thought I'd pass along the link. More detailed version of the story available at: Short version:

Re: [Cryptography] prism-proof email in the degenerate case

2013-10-10 Thread Ray Dillinger
On 10/10/2013 12:54 PM, John Kelsey wrote: Having a public bulletin board of posted emails, plus a protocol for anonymously finding the ones your key can decrypt, seems like a pretty decent architecture for prism-proof email. The tricky bit of crypto is in making access to the bulletin

Re: [Cryptography] P=NP on TV

2013-10-09 Thread Ray Dillinger
On 10/07/2013 05:28 PM, David Johnston wrote: We are led to believe that if it is shown that P = NP, we suddenly have a break for all sorts of algorithms. So if P really does = NP, we can just assume P = NP and the breaks will make themselves evident. They do not. Hence P != NP. As

Re: [Cryptography] Sha3

2013-10-07 Thread Ray Dillinger
On 10/04/2013 07:38 AM, Jerry Leichter wrote: On Oct 1, 2013, at 5:34 AM, Ray Dillinger wrote: What I don't understand here is why the process of selecting a standard algorithm for cryptographic primitives is so highly focused on speed. If you're going to choose a single

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-07 Thread Ray Dillinger
Is it just me, or does the government really have absolutely no one with any sense of irony? Nor, increasingly, anyone with a sense of shame? I have to ask, because after directly suborning the cyber security of most of the world including the USA, and destroying the credibility of just about

[Cryptography] Politics - probably off topic here.

2013-10-07 Thread Ray Dillinger
Original message From: Phillip Hallam-Baker Date: 10/06/2013 08:18 (GMT-08:00) To: James A. Donald Cc: Subject: Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-07 Thread Ray Dillinger
Original message From: Jerry Leichter Date: 10/06/2013 15:35 (GMT-08:00) To: John Kelsey Cc: List,Christoph Anton Mitterer,james hughes

Re: [Cryptography] AES-256- More NIST-y? paranoia

2013-10-05 Thread Ray Dillinger
On 10/03/2013 06:59 PM, Watson Ladd wrote: On Thu, Oct 3, 2013 at 3:25 PM, wrote: On Oct 3, 2013, at 12:21 PM, Jerry wrote: As *practical attacks today*, these are of no interest - related key attacks only apply in rather unrealistic scenarios, even

Re: [Cryptography] encoding formats should not be committee'ised

2013-10-05 Thread Ray Dillinger
On 10/04/2013 01:23 AM, James A. Donald wrote: On 2013-10-04 09:33, Phillip Hallam-Baker wrote: The design of WSDL and SOAP is entirely due to the need to impedance match COM to HTTP. That is fairly horrifying, as COM was designed for a single threaded environment, and becomes and

Re: [Cryptography] AES-256- More NIST-y? paranoia

2013-10-03 Thread Ray Dillinger
On 10/02/2013 02:13 PM, Brian Gladman wrote: The NIST specification only eliminated Rijndael options - none of the Rijndael options included in AES were changed in any way by NIST. Leaving aside the question of whether anyone weakened it, is it true that AES-256 provides comparable security

Re: [Cryptography] Sha3

2013-10-01 Thread Ray Dillinger
What I don't understand here is why the process of selecting a standard algorithm for cryptographic primitives is so highly focused on speed.  We have machines that are fast enough now that while speed isn't a non issue, it is no longer nearly as important as the process is giving it precedence

Re: [Cryptography] Sha3

2013-10-01 Thread Ray Dillinger
Okay, I didn't express myself very well the first time I tried to say this.   But as I see it,  we're still basing the design of crypto algorithms on considerations that had the importance we're treating them as having about twelve years ago.  To make an analogy, it's like making tires when

Re: [Cryptography] RSA recommends against use of its own products.

2013-09-21 Thread Ray Dillinger
*1 Anyone who attempts to generate random numbers by deterministic means is, of course, living in a state of sin. -- John Von Neumann That said, it seems that most of these attacks on Pseudorandom generators some of which are deliberately flawed, can be ameliorated somewhat by using

Re: [Cryptography] A lot to learn from Business Records FISA NSA Review

2013-09-19 Thread Ray Dillinger
On 09/16/2013 07:58 AM, Perry E. Metzger wrote: Well, we do know they created things like the (not very usable) seLinux MAC (Multilevel Access Control) system, so clearly they do some hacking on security infrastructure. SeLinux seems to be targeted mostly at organizational security, whereas

Re: [Cryptography] Impossible trapdoor systems (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-12 Thread Ray Dillinger
On 09/08/2013 11:49 AM, Perry E. Metzger wrote: That said, your hypothetical seems much like imagine that you can float by the power of your mind alone. The construction of such a cipher with a single master key that operates just like any other key seems nearly impossible, and that should be

Re: [Cryptography] Suite B after today's news

2013-09-08 Thread Ray Dillinger
On 09/05/2013 07:00 PM, Jon Callas wrote: I don't think they're actively bad, though. For the purpose they were created for -- parallelizable authenticatedencryption -- it serves its purpose. You can have a decent implementor implement them right in hardware and walk away. Given some of the

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread Ray Dillinger
On 09/06/2013 05:58 PM, Jon Callas wrote: We know as a mathematical theorem that a block cipher with a back door *is* a public-key system. It is a very, very, very valuable thing, and suggests other mathematical secrets about hitherto unknown ways to make fast, secure public key systems.

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-08 Thread Ray Dillinger
On 09/07/2013 07:51 PM, John Kelsey wrote: Pairwise shared secrets are just about the only thing that scales worse than public key distribution by way of PGP key fingerprints on business cards. If we want secure crypto that can be used by everyone, with minimal trust, public key is the

Re: [Cryptography] MITM source patching [was Schneier got spooked]

2013-09-08 Thread Ray Dillinger
On 09/08/2013 05:28 AM, Phillip Hallam-Baker wrote: every code update to the repository should be signed and recorded in an append only log and the log should be public and enable any party to audit the set of updates at any time. This would be 'Code Transparency'. Problem is we would need to

Re: [Cryptography] Suite B after today's news

2013-09-08 Thread Ray Dillinger
On 09/08/2013 10:13 AM, Thor Lancelot Simon wrote: On Sat, Sep 07, 2013 at 07:19:09PM -0700, Ray Dillinger wrote: Given good open-source software, an FPGA implementation would provide greater assurance of security. How sure are you that an FPGA would actually be faster than you can already

Re: [Cryptography] [cryptography] Random number generation influenced, HW RNG

2013-09-08 Thread Ray Dillinger
On 09/08/2013 04:27 AM, Eugen Leitl wrote: On 2013-09-08 3:48 AM, David Johnston wrote: Claiming the NSA colluded with intel to backdoor RdRand is also to accuse me personally of having colluded with the NSA in producing a subverted design. I did not. Well, since you personally did this,

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-07 Thread Ray Dillinger
On 09/06/2013 01:25 PM, Jerry Leichter wrote: A response he wrote as part of a discussion at Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions?

[Cryptography] Three kinds of hash: Two are still under ITAR.

2013-09-03 Thread Ray Dillinger
On 09/03/2013 09:54 AM, wrote: --Alexander Kilmov wrote: --David Mercer wrote: 2) Is anyone aware of ITAR changes for SHA hashes in recent years that require more than the requisite notification email to NSA for download URL and authorship information? Figuring this one out

Re: [Cryptography] Functional specification for email client?

2013-09-01 Thread Ray Dillinger
On 08/31/2013 02:53 PM, John Kelsey wrote: I think it makes sense to separate out the user-level view of what happens. True. I shouldn't have muddied up user-side view with notes about packet forwarding, mixing, cover traffic, and domain lookup, etc. Some users (I think) will want to know

Re: [Cryptography] NSA and cryptanalysis

2013-08-31 Thread Ray Dillinger
On 08/30/2013 08:10 PM, Aaron Zauner wrote: I read that WP report too. IMHO this can only be related to RSA (factorization, side-channel attacks). I have been hearing rumors lately that factoring may not in fact be as hard as we have heretofore supposed. Algorithmic advances keep eating

[Cryptography] Functional specification for email client?

2013-08-30 Thread Ray Dillinger
Okay... User-side spec: 1. An email address is a short string freely chosen by the email user. It is subject to the constraint that it must not match anyone else's email address, but may (and should) be pronounceable in ordinary language and writable with the same character set

Re: [Cryptography] Functional specification for email client?

2013-08-30 Thread Ray Dillinger
On 08/30/2013 01:52 PM, Jonathan Thornburg wrote: On Fri, 30 Aug 2013, Ray Dillinger wrote: 3. When an email user gets an email, s/he is absolutely sure that it comes from the person who holds the email address listed in its from line. S/he may or may not have any clue who

Re: [Cryptography] Good private email

2013-08-26 Thread Ray Dillinger
On 08/26/2013 04:12 AM, Richard Salz wrote: You need the client to be able to generate a keypair, upload the public half, and pull down (seamlessly) recipient public keys. You need a server to store and return those keys. You need an installed base to kickstart the network effect. Who has

Re: [Cryptography] Email and IM are ideal candidates for mix networks

2013-08-26 Thread Ray Dillinger
On 08/25/2013 03:28 PM, Perry E. Metzger wrote: So, imagine that we have the situation described by part 1 (some universal system for mapping name@domain type identifiers into keys with reasonable trust) and part 2 (most users having some sort of long lived $40 device attached to their home

Re: [Cryptography] Email and IM are ideal candidates for mix networks

2013-08-26 Thread Ray Dillinger
On 08/25/2013 08:32 PM, Jerry Leichter wrote: Where mail servers have gotten into trouble is when they've tried to provide additional services - e.g., virus scanners, which then try to look inside of complex formats like zip files. This is exactly the kind of thing you want to avoid - another

Re: [Cryptography] Good private email

2013-08-26 Thread Ray Dillinger
On 08/26/2013 10:39 AM, Jerry Leichter wrote: On Aug 26, 2013, at 1:16 PM, Ray Dillinger wrote: Even a tiny one-percent-of-a-penny payment that is negligible between established correspondents or even on most email lists would break a spammer. This (and variants, like

Re: [Cryptography] PRISM PROOF Email

2013-08-25 Thread Ray Dillinger
On 08/22/2013 02:36 AM, Phillip Hallam-Baker wrote: Thanks to Snowden we now have a new term of art 'Prism-Proof', i.e. a security scheme that is proof against state interception. Having had an attack by the Iranians, I am not just worried about US interception. Chinese and Russian intercepts

Re: [Cryptography] Snowden fabricated digital keys to get access to NSA servers?

2013-06-29 Thread Ray Dillinger
On 06/28/2013 09:36 PM, Udhay Shankar N wrote: On Sat, Jun 29, 2013 at 4:30 AM, John wrote: [John here. Let's try some speculation about what this phrase, fabricating digital keys, might mean.] Perhaps something conceptually similar to PGP's Additional Decryption Key

Computer health certificate plan indistinguishable from Denial Of Service attack.

2010-10-06 Thread Ray Dillinger
Microsoft is sending up a test balloon on a plan to 'quarantine' computers from accessing the Internet unless they produce a 'health certificate' to ensure that software patches are applied, a firewall is installed and configured correctly, an antivirus program with current signatures is

English 19-year-old jailed for refusal to disclose decryption key

2010-10-06 Thread Ray Dillinger
a 19-year-old just got a 16-month jail sentence for his refusal to disclose the password that would have allowed investigators to see what was on his hard drive. I suppose that, if the authorities could not read his stuff without the key, it may mean that the software he was using may have

RE: Has there been a change in US banking regulations recently?

2010-08-15 Thread Ray Dillinger
On Fri, 2010-08-13 at 14:55 -0500, wrote: Moore's law helped immensely here. In the last 5 years systems have gotten about 8 times faster, reducing the processing cost of crypto a lot. The big drawback is that those who want to follow NIST's recommendations

About that Mighty Fortress... What's it look like?

2010-07-31 Thread Ray Dillinger
Assume, contra facto, that in some future iteration of PKI, it works, and works very well. What the heck does it look like? At a guess Anybody can create a key (or key pair). They get one clearly marked private, which they're supposed to keep, and one clearly marked public, which

Re: Crypto dongles to secure online transactions

2009-11-25 Thread Ray Dillinger
On Fri, 2009-11-20 at 20:13 +1300, Peter Gutmann wrote: Because (apart from the reasons given above) with business use specifically you run into insurmountable PC - device communications problems. Many companies who handle large financial transactions are also ones who, due to concern over

Re: Client Certificate UI for Chrome? [OT anonymous-transaction bull***t]

2009-08-21 Thread Ray Dillinger
[Moderator's note: this is getting a bit off topic, and I'd prefer to limit followups. --Perry] On Wed, 2009-08-19 at 06:23 +1000, James A. Donald wrote: Ray Dillinger wrote: If there is not an existing relationship (first time someone uses an e-tailer) then there has to be a key

Re: MD6 withdrawn from SHA-3 competition

2009-07-06 Thread Ray Dillinger
On Sat, 2009-07-04 at 10:39 -0700, Hal Finney wrote: Rivest: Thus, while MD6 appears to be a robust and secure cryptographic hash algorithm, and has much merit for multi-core processors, our inability to provide a proof of security for a reduced-round (and possibly

Re: consulting question.... (DRM)

2009-05-27 Thread Ray Dillinger
On Tue, 2009-05-26 at 18:49 -0700, John Gilmore wrote: It's a little hard to help without knowing more about the situation. I.e. is this a software company? Hardware? Music? Movies? Documents? E-Books? It's a software company. Is it trying to prevent access to something, or the

Re: consulting question....

2009-05-27 Thread Ray Dillinger
On Wed, 2009-05-27 at 10:31 -0400, Roland Dowdeswell wrote: I have noticed in my years as a security practitioner, that in my experience non-security people seem to assume that a system is perfectly secure until it is demonstrated that it is not with an example of an exploit. Until an

consulting question....

2009-05-26 Thread Ray Dillinger
experience, seems foolish? Ray Dillinger - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to

Re: [tahoe-dev] SHA-1 broken! (was: Request for hash-dependency in Tahoe security.)

2009-05-01 Thread Ray Dillinger
On Thu, 2009-04-30 at 13:56 +0200, Eugen Leitl wrote: Wow! These slides say that they discovered a way to find collisions in SHA-1 at a cost of only 2^52 computations. If this turns out to be right (and the authors

Re: Judge orders defendant to decrypt PGP-protected laptop

2009-03-05 Thread Ray Dillinger
On Tue, 2009-03-03 at 21:33 -0500, Ivan Krsti? wrote: If you give me the benefit of the doubt for having a reasonable general grasp of the legal system and not thinking the judge is an automaton or an idiot, can you explain to me how you think the judge can meet the burden of proof for

Re: Security through kittens, was Solving password problems

2009-02-25 Thread Ray Dillinger
On Wed, 2009-02-25 at 14:53 +, John Levine wrote: You're right, but it's not obvious to me how a site can tell an evil MITM proxy from a benign shared web cache. The sequence of page accesses would be pretty similar. There is no such thing as a benign web cache for secure pages. If you

UCE - a simpler approach using just digital signing?

2009-01-30 Thread Ray Dillinger
I have a disgustingly simple proposal. It seems to me that one of the primary reasons why UCE-limiting systems fail is the astonishing complexity of having a trust infrastructure maintained by trusted third parties or shared by more than one user. Indeed, trusted third party and trust shared

Re: Bitcoin P2P e-cash paper

2008-11-17 Thread Ray Dillinger
Okay I'm going to summarize this protocol as I understand it. I'm filling in some operational details that aren't in the paper by supplementing what you wrote with what my own design sense tells me are critical missing bits or obvious methodologies for use. First, people spend computer

Re: Bitcoin P2P e-cash paper

2008-11-17 Thread Ray Dillinger
On Sat, 2008-11-15 at 12:43 +0800, Satoshi Nakamoto wrote: I'll try and hurry up and release the sourcecode as soon as possible to serve as a reference to help clear up all these implementation questions. Ray Dillinger (Bear) wrote: When a coin is spent, the buyer and seller digitally

Re: Bitcoin P2P e-cash paper

2008-11-07 Thread Ray Dillinger
On Tue, 2008-11-04 at 06:20 +1000, James A. Donald wrote: If I understand Simplified Payment Verification correctly: New coin issuers need to store all coins and all recent coin transfers. There are many new coin issuers, as many as want to be issuers, but far more coin users.

Re: Who cares about side-channel attacks?

2008-11-01 Thread Ray Dillinger
On Thu, 2008-10-30 at 16:32 +1300, Peter Gutmann wrote: Look at the XBox attacks for example, there's everything from security 101 lack of checking/validation and 1980s MSDOS-era A20# issues through to Bunnie Huang's FPGA-based homebrew logic analyser and use of timing attacks to recover

Re: User interface, security, and simplicity

2008-05-04 Thread Ray Dillinger
On Sat, 2008-05-03 at 23:35 +, Steven M. Bellovin wrote: There's a technical/philosophical issue lurking here. We tried to solve it in IPsec; not only do I think we didn't succeed, I'm not at all clear we could or should have succeeded. IPsec operates at layer 3, where there are

Re: Death of antivirus software imminent

2008-01-18 Thread Ray Dillinger
On Fri, 2008-01-18 at 02:31 -0800, Alex Alten wrote: At 07:35 PM 1/18/2008 +1000, James A. Donald wrote: And all the criminals will of course obey the law. Why not just require them to set an evil flag on all their packets? These are trite responses. Of course not. My point is that