### Re: [Cryptography] AES-256- More NIST-y? paranoia

might consider looking for a better cipher at this point. The rationale is that AES-256 still provides a wider security margin. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo

### Re: [Cryptography] encoding formats should not be committee'ized

grammar which is hopefully regular, context-free, or context-sensitive in a limited manner -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] encoding formats should not be committee'ized

On Mon, Sep 30, 2013 at 6:04 PM, Mark Atwood m...@mark.atwood.name wrote: YAML? YAML is a bit insane ;) There's JSON, and also TOML: https://github.com/mojombo/toml -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http

### Re: [Cryptography] encoding formats should not be committee'ized

mistakes can radically alter the interpretation of a file. And on Ruby, it was a remote code execution vulnerability waiting to happen. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo

### Re: [Cryptography] are ECDSA curves provably not cooked? (Re: RSA equivalent key length/strength)

looking seeds, continuing until the curve parameters, after the seed is run through SHA1, fall into the class that's known to be weak to them. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman

### Re: [Cryptography] are ECDSA curves provably not cooked? (Re: RSA equivalent key length/strength)

is they probably didn't. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] Linux /dev/random and /dev/urandom

On Tue, Oct 1, 2013 at 11:10 AM, Isaac Bickerstaff j...@av8n.com wrote: I'm sure the driver was written by highly proficient cryptographers, and subjected to a meticulous code review. I'll just leave this here: http://eprint.iacr.org/2013/338.pdf -- Tony Arcieri

### Re: [Cryptography] [cryptography] are ECDSA curves provably not cooked? (Re: RSA equivalent key length/strength)

, so we would expect that Dual_EC_DRBG was their failed attempt to tamper with a cryptographic standard, and so we would overlook the more sinister and subtle attempts to tamper with the NIST curves/tinfoilhat -- Tony Arcieri ___ The cryptography mailing

### Re: [Cryptography] encoding formats should not be committee'ized

/2013-October/023009.html -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] TLS2

C code? The theoretical argument against something like this is the resulting C code is a weird machine, i.e. ASN.1 cannot be understood by a pushdown automaton or described by a context-free grammar. See: http://www.cs.dartmouth.edu/~sergey/langsec/papers/langsec-tr.pdf -- Tony Arcieri

### Re: [Cryptography] TLS2

for a lot less modes and ciphers. And probably non-NIST curves while we're at it. Sounds like you want CurveCP? http://curvecp.org/ -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo

### Re: [Cryptography] paranoid cryptoplumbing is a probably not defending the weakest point

. The NSA of course participated in active attacks too, but it seems their main MO was passive traffic collection. But yes, endpoint security is weak, and an active attacker would probably choose that approach over trying to break particular algorithms. -- Tony Arcieri

### Re: [Cryptography] paranoid cryptoplumbing is a probably not defending the weakest point

accelerator hardware, stolen keys, etc., and a smart attacker goes for the points of weakness. As a counterpoint to what I was saying earlier, here's a tool that's likely focusing on the wrong problems: https://keybase.io/triplesec/ -- Tony Arcieri

### Re: [Cryptography] The paranoid approach to crypto-plumbing

some real advantages. I wish there was a term for this sort of design in encryption systems beyond just defense in depth. AFAICT there is not such a term. How about the Failsafe Principle? ;) -- Tony Arcieri ___ The cryptography mailing list

### Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

on the table if you want to build a quantum-proof system. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] Perfection versus Forward Secrecy

you can buy. I wouldn't be surprised to see a large quantum computer built in the next two decades. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] Quantum Computers for Shor's Algorithm (was Re: Perfection versus Forward Secrecy)

on the horizon, or if it falls into a category like nuclear fusion where work on it drags on indefinitely. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] Security is a total system problem (was Re: Perfection versus Forward Secrecy)

this approach. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] Radioactive random numbers

-random-number-generator -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] Perfection versus Forward Secrecy

that will render messages unbreakable forever. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] What TLS ciphersuites are still OK?

, aside from maybe this draft supporting Salsa20: http://tools.ietf.org/html/draft-josefsson-salsa20-tls-02 -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

### Re: [Cryptography] Seed values for NIST curves

's parameters are provided in the paper. The 2^255-19 constant was selected by a theorem (see Theorem 2.1): http://cr.yp.to/ecdh/curve25519-20060209.pdf -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com

### Re: [Cryptography] AES state of the art...

-128 over AES-256. However, that is not the case. Here's a relevant page from Schneier's book Cryptography Engineering in which he recommends AES-256 (or switching to an algorithm without known attacks): https://pbs.twimg.com/media/BEvLoglCcAAqg4E.jpg -- Tony Arcieri

### Re: [Cryptography] Seed values for NIST curves

. The question is... suitable for what? djb argues it could be used to find a particularly weak curve, depending on what your goals are: http://i.imgur.com/o6Y19uL.png (originally from http://www.hyperelliptic.org/tanja/vortraege/20130531.pdf) -- Tony Arcieri

### Re: [Cryptography] In the face of cooperative end-points, PFS doesn't help

the traffic, even with PFS. Likewise with perfect forward secrecy, they can collect and store all your traffic for the next 10-20 years when they get a large quantum computer, and decrypt your traffic then. PFS is far from perfect -- Tony Arcieri

### Re: [Cryptography] Washington Post: Google racing to encrypt links between data centers

On Fri, Sep 6, 2013 at 4:53 PM, Marcus D. Leech mle...@ripnet.com wrote: One wonders why they weren't already using link encryption systems? Probably line rate and the cost of encrypting every single fiber link. There are few vendors who sell line rate encryption for 10Gbps+ -- Tony Arcieri

### Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

) or code-based (McEliece/McBits) public key systems are still considered post-quantum algorithms. There are no presently known quantum algorithms that work against these sorts of systems. See http://pqcrypto.org/ -- Tony Arcieri ___ The cryptography

### Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?

.a.0.1.0.0.2.ip6.arpa/~bauerm/names/DHTsec.pdf -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography