Re: luks disk encryption benchmarks

2007-06-21 Thread Travis H.
On Tue, Jun 05, 2007 at 07:00:51PM -0500, Travis H. wrote: I just did some performance testing on a file server (debian 4.0) and thought I'd share the figures, both raw and using the luks cryptosystem described here: http://luks.endorphin.org/about Here's the specs: AMD Athlon 64 x2

luks disk encryption benchmarks

2007-06-09 Thread Travis H.
I just did some performance testing on a file server (debian 4.0) and thought I'd share the figures, both raw and using the luks cryptosystem described here: http://luks.endorphin.org/about Here's the specs: AMD Athlon 64 x2 3600+ (1800MHz) 2GB 800MHz DDR2 ECC DRAM Asus M2N32WS motherboard

crypto maxims

2007-05-24 Thread Travis H.
I have posted my ideas on defensive use of crypto here: https://www.subspacefield.org/security/cgi-bin/moin.py/CryptoMaxims This is not about cipher design, it's more about protocol design and implementation. Everyone here is welcome to edit it as they see fit; questions and answers, discussion

kernel-level key management subsystem

2007-05-18 Thread Travis H.
Ignoring special-purpose hardware, does anyone have thoughts on what the requirements for a kernel-level key management subsystem should be? -- Kill dash nine, and its no more CPU time, kill dash nine, and that process is mine. -- URL:http://www.subspacefield.org/~travis/ For a good time on my

Re: More info in my AES128-CBC question

2007-05-12 Thread Travis H.
On Wed, May 09, 2007 at 06:11:03PM -0400, Leichter, Jerry wrote: Just being able to generate traffic over the link isn't enough to carry out this attack. Well, it depends on if you key per-flow or just once for the link. If the latter, and you have the ability to create traffic over the link,

Re: phone encryption technology becoming popular in Italy

2007-05-12 Thread Travis H.
On Wed, May 02, 2007 at 06:12:31PM +0100, Dave Korn wrote: If you wanted to be /really/ certain, I guess you'd have to take the tops off all the ICs inside and look at them under an EM, to make sure they really were the parts they claimed to be and don't have any extra circuitry or hidden

Re: More info in my AES128-CBC question

2007-05-12 Thread Travis H.
On Wed, May 09, 2007 at 06:04:20PM -0400, Leichter, Jerry wrote: However, cryptographically secure RNG's are typically just as expensive as doing a block encryption. So why not just encrypt the IV once with the session key before using it? (This is the equivalent of pre-pending a block of

Re: More info in my AES128-CBC question

2007-05-09 Thread Travis H.
On Fri, Apr 27, 2007 at 05:13:44PM -0400, Leichter, Jerry wrote: Frankly, for SSH this isn't a very plausible attack, since it's not clear how you could force chosen plaintext into an SSH session between messages. A later paper suggested that SSL is more vulnerable: A browser plugin can

Re: Public key encrypt-then-sign or sign-then-encrypt?

2007-05-09 Thread Travis H.
On Wed, May 02, 2007 at 09:29:39AM -0600, Anne Lynn Wheeler wrote: where there is possibly the suggestion that if the only thing being performed is authentication (and doesn't require either integrity and/or privacy) ... then possibly a totally different protocol by utilized (rather than

Re: Public key encrypt-then-sign or sign-then-encrypt?

2007-05-09 Thread Travis H.
On Thu, May 03, 2007 at 07:57:18PM +1000, James A. Donald wrote: Assume Ann's secret key is a, and her public key is A = G^a mod P Assume Bob's secret key is b, and his public key is B = G^b mod P Bob wants to send Ann a message. Bob generates a secret random number x, and sends Ann X =

Re: More info in my AES128-CBC question

2007-04-26 Thread Travis H.
On Wed, Apr 25, 2007 at 05:42:44PM -0500, Nicolas Williams wrote: A confounder is an extra block of random plaintext that is prepended to a message prior to encryption with a block cipher in CBC (or CTS) mode; the resulting extra block of ciphertext must also be sent to the peer. Not true.

Why CBC? What is wrong with n-bit CFB?

2007-04-26 Thread Travis H.
I've always wondered this about the lesser-used modes. What's special about CBC? With CFB in particular, I think 8-bit CFB is stupid (one full block encryption per byte processed - rather computationally expensive), but n-bit CFB seems just as useful as CBC, if not more so. Specifically, I can

truncating MACs for confidentiality, was Re: Public key encrypt-then-sign or sign-then-encrypt?

2007-04-26 Thread Travis H.
One more thing to consider; if you pick a reasonable MAC with twice the security factor you need, then truncate the output to half the size, I believe you get both confidentiality and integrity/authentication guarantees of the desired strength. -- Kill dash nine, and its no more CPU time, kill

open source disk crypto update

2007-04-25 Thread Travis H.
Forgive me as this isn't as technical as the usual posts, but I find it interesting nonetheless. OpenBSD has, for some time, supported encrypted swap. Just recently I discovered Debian default installs now support encrypted root (/boot still needs to be decrypted). Presumably we are moving

Re: interesting and thought provoking resources on quantum crypto

2007-02-09 Thread Travis H.
On Thu, Feb 08, 2007 at 04:29:25PM -0800, Saqib Ali wrote: i have been tasked by my advisor to create series of mini-lectures slides on the topic of cryptography for a freshman year CS class. You know, you shouldn't use the Internet to ask people to do your homework for you... ;-) j/k any

Re: Entropy of other languages

2007-02-07 Thread Travis H.
On Sun, Feb 04, 2007 at 03:46:41PM -0800, Allen wrote: An idle question. English has a relatively low entropy as a language. Don't recall the exact figure, but if you look at words that start with q it is very low indeed. I seem to recall Shannon did some experiments which showed that with a

Re: Entropy of other languages

2007-02-07 Thread Travis H.
On Wed, Feb 07, 2007 at 05:42:49AM -0800, Sandy Harris wrote: He starts from information theory and an assumption that there needs to be some constant upper bound on the receiver's per-symbol processing time. From there, with nothing else, he gets to a proof that the optimal frequency

Re: Entropy of other languages

2007-02-07 Thread Travis H.
On Wed, Feb 07, 2007 at 05:53:16PM -0500, Steven M. Bellovin wrote: Speakers of such Native American languages as Navajo, Choctaw and Cheyenne served as radio operators, know as Code Talkers, to keep communications secret during both World Wars. Welsh speakers played a

OTP, was Re: data under one key, was Re: analysis and implementation of LRW

2007-02-05 Thread Travis H.
On Sun, Feb 04, 2007 at 11:27:00PM -0500, Leichter, Jerry wrote: | 1) use a random key as large as the plaintext (one-time-pad) ...thus illustrating once again both the allure and the uselessness (in almost all situations) of one-time pads. For long-term storage, you are correct, OTP at best

deriving multiple keys from one passphrase

2007-02-03 Thread Travis H.
Hey, quick question. If one wants to have multiple keys, but for ease-of-use considerations want to only have the user enter one, is there a preferred way to derive multiple keys that, while not independent, are computationally independent? I was thinking of hashing the passphrase with a unique

data under one key, was Re: analysis and implementation of LRW

2007-01-30 Thread Travis H.
On Wed, Jan 24, 2007 at 03:28:50PM -0800, Allen wrote: If 4 gigs is right, would it then be records to look for to break the code via birthday attacks would be things like seismic data, In case anyone else couldn't parse this, he means the amount of encrypted material necessary to break the

length-extension and Merkle-Damgard hashes

2007-01-30 Thread Travis H.
So I was reading this: http://en.wikipedia.org/wiki/Merkle-Damgard It seems to me the length-extension attack (given one collision, it's easy to create others) is not the only one, though it's obviously a big concern to those who rely on it. This attack thanks to Schneier: If the ideal hash

block cipher modes and collisions

2007-01-25 Thread Travis H.
The wikipedia page on the IEEE SISWG debate about LRW says: [A] general security requirement for any block cipher, regardless of mode of operation, is that no block cipher should be used to encrypt any more data, without changing the key, when the probability of a collision becomes not negligible

OT: SSL certificate chain problems

2007-01-24 Thread Travis H.
Hi, This is not really typical of the traffic on this list, hence the OT. I send it because I think this is one of the few places where I'll find some people with deep understanding of SSL certs. Recently I had an issue where Google checkout would not accept an SSL certificate because Apache

Re: Private Key Generation from Passwords/phrases

2007-01-21 Thread Travis H.
On Sun, Jan 21, 2007 at 12:13:09AM -0500, Steven M. Bellovin wrote: Could you explain this? It's late, but this makes no sense at all to me. I probably wasn't clear, you bring out my realization that there are a number of unwritten assumptions going on here. Similarly, the size of the output

Re: Private Key Generation from Passwords/phrases

2007-01-20 Thread Travis H.
On Fri, Jan 19, 2007 at 12:11:40AM -0800, Bill Stewart wrote: One of the roots of the problem is that for many applications, i is a well-defined event and P(i) is a fixed value (for i) , but for many other applications, i might not be a well-defined event, and/or P(i) is really a conditional

Re: gang uses crypto to hide identity theft databases

2006-12-26 Thread Travis H.
On Sun, Dec 24, 2006 at 11:10:40PM +, Rick van Rein wrote: This is not =entirely= true. A key stored in the same (non-swappable) location for a long time will burn into the memory. (I know that I am reacting beside the point of your story, to which I agree.) Pimpin' Peters Papers:

Skype reverse-engineering details]

2006-12-21 Thread Travis H.
Some very juicy details here: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pd -- Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions. -- Don Alvarez URL:http://www.subspacefield.org/~travis/ --

Re: Traffic Analysis References

2006-10-22 Thread Travis H.
On 10/19/06, Leandro Meiners [EMAIL PROTECTED] wrote: Can anybody point me to any good references regarding traffic analysis? This is the only interesting page I found on it: http://guh.nu/projects/ta/safeweb/safeweb.html There are some historical incidents that are sufficiently old to be

hashes on restricted domains: random functions or permutations?

2006-10-17 Thread Travis H.
So I was reading about the OTP system (based on S/Key) described in RFC 2289. It basically hashes a secret several times (with salt to individualize it) and stores the value that the correct password will hash to. Now my question is, if we restrict ourselves to, say, 160-bit inputs, is SHA-1 a

Re: handling weak keys using random selection and CSPRNGs

2006-10-13 Thread Travis H.
On 10/12/06, Leichter, Jerry [EMAIL PROTECTED] wrote: Beyond that: Are weak keys even detectable using a ciphertext-only attack (beyond simply trying them - but that can be done with *any* small set of keys)? Yes, generally, that's the definition of a weak key. But that's an odd attack to

Re: TPM disk crypto

2006-10-12 Thread Travis H.
On 10/9/06, Adam Back [EMAIL PROTECTED] wrote: The bad part is that the user is not given control to modify the hash and attest as if it were the original so that he can insert his own code, debug, modify etc. (All that is needed is a debug option in the BIOS to do this that only the user can

deriving multiple keys from one passphrase

2006-10-10 Thread Travis H.
What is the accepted way to derive several keys from a user-supplied input? Or, can you see anything wrong by prepending a counter to the passphrase and hashing it to create derived keys? k_n = hash(n || passphrase) I suppose a faster system would involve using hash(passphrase) as the key and

Discussion of SIGABA, FPGA query, automated cipher construction, c.

2006-10-10 Thread Travis H.
First, I found this interesting site by John Savard which discusses the various crypto designs since... well, since pencil and paper systems. Notable is the detailed discussion of the declassified SIGABA machine: http://www.quadibloc.com/crypto/jscrypt.htm Next, can anyone point me in the

handling weak keys using random selection and CSPRNGs

2006-10-10 Thread Travis H.
Hi all, It occured to me that there is a half-decent way to avoid weak keys in algorithms when it is undesirable or impossible to prompt the user for a different passphrase. It is even field-upgradable if new weak keys are found. Basically, instead of using the hash of the passphrase up front,

Re: TPM disk crypto

2006-10-06 Thread Travis H.
On 10/2/06, Erik Tews [EMAIL PROTECTED] wrote: Am Sonntag, den 01.10.2006, 23:42 -0500 schrieb Travis H.: Anyone have any information on how to develop TPM software? http://tpm4java.datenzone.de/ Using this lib, you need less than 10 lines of java-code for doing some simple

Re: TPM disk crypto

2006-10-06 Thread Travis H.
On 10/5/06, Erik Tews [EMAIL PROTECTED] wrote: First, you need a system with tpm. I assume you are running linux. Then you boot your linux-kernel and an initrd using the trusted grub bootloader. Your bios will report the checksum of trusted grub to the tpm before giving control to your grub

wanted: mod arith equivalences/tautologies

2006-10-03 Thread Travis H.
Hey does anyone have a good link for the various equivalencies (or inequivalencies) for modular arithmetic? I realize some will only apply to certain moduli, especially primes. I'm basically wanting to find some good algorithms for certain simple computations, like f(x) = ax + b (mod n), or the

TPM disk crypto

2006-10-02 Thread Travis H.
Quoting: Disk drives gear up for a lockdown Rick Merritt, EE Times (09/25/2006 9:00 AM EDT) Built-in security is the next big thing for hard-disk drives. By 2008, drive makers should be shipping in volume a broad array of drives based on a maturing standard. ... The first version of the

The Geheimschreiber Secret - Swedish WWII SIGINT

2006-10-02 Thread Travis H.
http://frode.home.cern.ch/frode/ulfving/ulfving.html This discusses Swedish decryption of a German crypto machine. Although the break was done without any hints, it was a fairly straightforward system of long-period XOR and fixed transposition, and eventual success was predicated on the laziness

Re: A note on vendor reaction speed to the e=3 problem

2006-09-28 Thread Travis H.
On 9/26/06, Richard Salz [EMAIL PROTECTED] wrote: Really, what? There are things it doesn't do, but since it's only a packaging format that's a good thing. Though there are unshar tools, typically people run it as input to /bin/sh, usually without reading through it (and given the level of

Re: A note on vendor reaction speed to the e=3 problem

2006-09-25 Thread Travis H.
On 9/15/06, Taral [EMAIL PROTECTED] wrote: *That* is the Right Way To Do It. If there are variable parts (like hash OID, perhaps), parse them out, then regenerate the signature data and compare it byte-for-byte with the decrypted signature. You know, this sort of reminds me of a problem with

Re: IGE mode is broken (Re: IGE mode in OpenSSL)

2006-09-23 Thread Travis H.
On 9/9/06, Adam Back [EMAIL PROTECTED] wrote: IGE if this description summarized by Travis is correct, appears to be a re-invention of Anton Stiglic and my proposed FREE-MAC mode. However the FREE-MAC mode (below described as IGE) was broken back in Mar 2000 or maybe earlier by Gligor, Donescu

Re: Did Hezbollah use SIGINT against Israel?

2006-09-22 Thread Travis H.
On 9/20/06, Leichter, Jerry [EMAIL PROTECTED] wrote: Newspaper reports have claimed that many troops were sent into the field with old equipment - including in particular 10+-year-old communications equipment. The Single Channel Ground and Airborne Radio System was designed in the 80's:

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-17 Thread Travis H.
On 9/15/06, Daniel Carosone [EMAIL PROTECTED] wrote: But let's not also forget that these criticisms apply approximately equally to smart card deployments with readers that lack a dedicated pinpad and signing display. This looks mildly interesting: http://www.projectblackdog.com/product.html I

Re: IGE mode is broken (Re: IGE mode in OpenSSL)

2006-09-16 Thread Travis H.
On 9/10/06, James A. Donald [EMAIL PROTECTED] wrote: Typo: We transmit T(k)= {W(k)} + W(k-1)|{W(k-1)} where | means bitwise or, curly brace means encryption. Should read: We transmit T(k) = {W(k)} + ((~W(k-11){W(k-1)}) where ~ means bitwise negation, | means bitwise or, curly brace means

secure key storage APIs

2006-09-08 Thread Travis H.
Hey, Does anyone know of any OSS OS facilities for managing keys? With ssh-agent and gpg-agent providing access to key storage by inherited processes, and the keys themselves being vulnerable as stored on-disk, I wonder if there isn't any more general facility for doing key management and

link fest on fingerprint biometrics

2006-09-08 Thread Travis H.
Found at doxpara.com: fingerprints: http://chris.fornax.net/biometrics.html faceprints: http://www.site.uottawa.ca/~adler/publications/2003/adler-2003-fr-templates.pdf More on fingerprints: http://onin.com/fp/cyanoho.html At home I have an excellent page on making fake fingerprints, but I

signing all outbound email

2006-09-04 Thread Travis H.
Has anyone created hooks in MTAs so that they automagically sign outbound email, so that you can stop forgery spam via a SRV DNS record? -- If you're not part of the solution, you're part of the precipitate. Unix guru for rent or hire -- http://www.lightconsulting.com/~travis/ GPG fingerprint:

Re: IGE mode in OpenSSL

2006-09-04 Thread Travis H.
Nevermind the algorithm, I saw the second PDF. For the other readers, the algorithm in more standard variable names is: c_i = f_K(p_i xor c_(i-1)) xor p_(i-1) IV = p_(-1), c_(-1) I suppose the dependency on c_(i-1) and p_(i-1) is the part that prevents the attacker from predicting and

Re: IGE mode in OpenSSL

2006-09-04 Thread Travis H.
The NIST server is down. Care to post the algorithm? By the term crib do you mean a known-plaintext? I'd like to see a proof that it is not possible to alter the final block to make it decrypt to all zeroes; that seems worse than CRCs and putting a CRC at the end of the plaintext is a common,

Re: Debunking the PGP backdoor myth for good. [was RE: Hypothesis: PGP backdoor (was: A security bug in PGP products?)]

2006-09-03 Thread Travis H.
On 8/28/06, Ondrej Mikle [EMAIL PROTECTED] wrote: Take as an example group of Z_p* with p prime (in another words: DLP). The triplet (Z, p, generator g) is a compression of a string of p-1 numbers, each number about log2(p) bits. Pardon my mathematical ignorance, but isn't Z just a notation to

uniformly random selection algorithms

2006-09-03 Thread Travis H.
I didn't know about this RFC, but apparently the IETF has a standard for selecting people randomly for sortition in a publicly-verifiable way. References: http://rfc.sunsite.dk/rfc/rfc3797.html http://www.isi.edu/in-notes/rfc3797.txt This got me to thinking about random selection. They take

correction to uniformly random selection algorithms

2006-09-03 Thread Travis H.
I just realized I made a small error in algorithm 2. On 9/2/06, Travis H. [EMAIL PROTECTED] wrote: 2. This algorithm seems to waste fewer bits: Initialize with c = 0. x = extraction of n bits That should read: x = extraction of ceil(lg(p-c)) bits Otherwise there's nothing gained by carrying

Re: A security bug in PGP products?

2006-08-30 Thread Travis H.
On 8/23/06, Dave Korn [EMAIL PROTECTED] wrote: Given that, whatever passphrase you use, you will decrypt the EDK block and get /something/ that looks like a key, this comparison of hashes is a sanity test. If you bypass it but enter the wrong passphrase, you'll get an incorrectly-decrypted

Re: Hypothesis: PGP backdoor (was: A security bug in PGP products?)

2006-08-30 Thread Travis H.
On 8/23/06, Ondrej Mikle [EMAIL PROTECTED] wrote: We discussed with V. Klima about the recent bug in PGPdisk that allowed extraction of key and data without the knowledge of passphrase. I skimmed the URL and it appears this claim was answered several times in the original thread. Did you not

Re: compressing randomly-generated numbers

2006-08-30 Thread Travis H.
On 8/29/06, Alexander Klimov [EMAIL PROTECTED] wrote: Well, it not really a claim since there was no definition, here it is: A ``dependency stripping'' algorithm is a deterministic algorithm that gets a stream of unbiased (but not necessary independent bits) and produces a stream of several

Re: Hamiltonian path as protection against DOS.

2006-08-27 Thread Travis H.
What is the complexity class for Eulerian paths/trails? Wikipedia doesn't say. -- If you're not part of the solution, you're part of the precipitate. Unix guru for rent or hire -- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484

setting up a CA with OpenSSL

2006-08-27 Thread Travis H.
Figured some people might be interested in doing this. I know how it all works (or fails to) on a theoretical level, but never actually implemented it. This page is very helpful: http://sial.org/howto/openssl/ca/ If anyone has any criticisms about this procedure as described, please speak

collisions in 64 round variant of SHA-1 with 25% chosen plaintext

2006-08-27 Thread Travis H.
http://www.heise-security.co.uk/news/77244 ``Although the demonstration was restricted to the reduced SHA-1 variant in 64 steps, it can, according to the experts, also be generalised to the standard 80 step variant. This means that SHA-1 must also be considered as cracked in principle. Christian

CRCs and passphrase hashing

2006-08-27 Thread Travis H.
Howdy! I was talking to Terry Ritter, and he was explaining to me that when he needed to make some keys from a user-supplied passphrase, he computed various CRCs over the passphrase, and used those as derived keys. I'd like to know more about it, and I was wondering if anyone knew of any work

Re: [IP] more on Can you be compelled to give a password?

2006-08-10 Thread Travis H.
On 8/8/06, Ed Gerck [EMAIL PROTECTED] wrote: The worst-case setting for the user is likely to be when the coercer can do all that you said and has the time/resources to do them. However, if the distress password is strong (ie, not breakable within the time/resources available to the coercer),

Re: [IP] more on Can you be compelled to give a password?

2006-08-10 Thread Travis H.
On 8/9/06, Ed Gerck [EMAIL PROTECTED] wrote: A debugger cannot decrypt without the key, which is produced only with the access password. Ah okay. By the way, an interesting link from Schneier's blog, mentions copyright and randomly-generated numbers:

Re: [IP] more on Can you be compelled to give a password?

2006-08-10 Thread Travis H.
On 8/8/06, Travis H. [EMAIL PROTECTED] wrote: Or, nobody has the data: http://monolith.sourceforge.net/ http://www.schneier.com/blog/archives/2006/03/monolith.html Grr... remind me not to read the comments on old blogs, it's irritating to see so much misrepresentation... The monolith model

compressing randomly-generated numbers

2006-08-10 Thread Travis H.
Hey, I was mulling over some old emails about randomly-generated numbers and realized that if I had an imperfectly random source (something less than 100% unpredictable), that compressing the output would compress it to the point where it was nearly so. Would there be any reason to choose one

Re: NIST hash function design competition

2006-07-21 Thread Travis H.
On 7/20/06, Florian Weimer [EMAIL PROTECTED] wrote: Is this about Colin Percival's work? The paper was by Dan Berstein; Percival's comments are specific to hyperthreading, but I think djb's research showed that it's applicable to non-HT architectures as well. -- Follow where reason leads --

Re: Interesting bit of a quote

2006-07-16 Thread Travis H.
On 7/15/06, John Kelsey [EMAIL PROTECTED] wrote: Another solution is to use cryptographic audit logs. Bruce Schneier and I did some work on this several years ago, using a MAC to authenticate the current record as it's written, and a one-way function to derive the next key. (This idea was

Re: Interesting bit of a quote

2006-07-14 Thread Travis H.
On 7/14/06, David Mercer [EMAIL PROTECTED] wrote: WORM drives (and WORM tapes) are used by organizations that need to prove that things weren't altered (or to be able to audit when they are). The problem with this is determining if the media has been replaced. Absent other protections, one

Re: NIST hash function design competition

2006-07-13 Thread Travis H.
On 7/11/06, Hal Finney [EMAIL PROTECTED] wrote: : So what went wrong? Answer: NIST failed to recognize that table lookups : do not take constant time. √ĘTable lookup: not vulnerable to timing : attacks, NIST stated in [19, Section 3.6.2]. NIST's statement was, : and is, incorrect. That's

timing attack biblio/link farm posted

2006-07-13 Thread Travis H.
I'm still fleshing it out, but I've gathered a bunch of links/papers on side-channel attacks: http://www.lightconsulting.com/~travis/side_channel_attacks.html Suggestions welcome. -- Resolve is what distinguishes a person who has failed from a failure. Unix guru for sale or rent -

Correction: Side Channel Attack web page, was Re: timing attack biblio/link farm posted

2006-07-13 Thread Travis H.
Sorry, noticed the subject line was misleading. It contains every side channel attack I could find, including but not limited to timing. -- Resolve is what distinguishes a person who has failed from a failure. Unix guru for sale or rent - http://www.lightconsulting.com/~travis/ -- GPG

Re: Interesting bit of a quote

2006-07-12 Thread Travis H.
On 7/11/06, Adam Fields [EMAIL PROTECTED] wrote: On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote: Business ultimately depends on trust. There's some study out there - Trust is not quite the opposite of security (in the sense of an action, not as a state of being), but certainly

Re: Quantum RNG (was: Use of TPM chip for RNG)

2006-07-08 Thread Travis H.
On 7/4/06, Taral [EMAIL PROTECTED] wrote: On 7/4/06, Andrea Pasquinucci [EMAIL PROTECTED] wrote: About RNG, does someone in the list have any comment, ideas on this http://www.idquantique.com/products/quantis.htm Why? Noise-based RNGs are just as random and just as quantum. :) Hella fast.

Re: Use of TPM chip for RNG?

2006-07-04 Thread Travis H.
On 7/3/06, Leichter, Jerry [EMAIL PROTECTED] wrote: You're damned if you do and damned if you don't. Would you want to use a hardware RNG that was *not* inside a tamper-proof package - i.e., inside of a package that allows someone to tamper with it? Yes. If someone has physical access to

Re: Use of TPM chip for RNG?

2006-07-04 Thread Travis H.
On 7/2/06, Peter Gutmann [EMAIL PROTECTED] wrote: You have to be pretty careful here. Most of the TPM chips are just rebadged smart cards, and the RNGs on those are often rather dubious. My last email of the day, I promise ;-) And if you're interested in some of the smart card developments,

Re: EDP (entropy distribution protocol), userland PRNG design

2006-07-02 Thread Travis H.
Going over old emails. On 10/12/05, Jack Lloyd [EMAIL PROTECTED] wrote: I prefer a multi-stage design, as described by various people smarter than I am: source(s) -- mixer -- pool -- extractor -- X9.31 Did you really mean X9.31 and not X9.17? -- Resolve is what distinguishes a person who

classical crypto programmatic aids

2006-06-28 Thread Travis H.
Hi folks, Does anyone here know of any computer-based aids for breaking classical cryptosystems? I'm thinking in particular of the ones in Body of Secrets, which are so short that I really hope they're monoalphabetic substitutions. But I'm interested in these sorts of programs more generally.

complexity classes and crypto algorithms

2006-06-13 Thread Travis H.
What kind of problems do people run into when they try to make cryptographic algorithms that reduce to problems of known complexity? I'm expecting that the literature is full of such attempts, and one could probably spend a lifetime reading up on them, but I have other plans and would appreciate

Re: Status of attacks on AES?

2006-06-12 Thread Travis H.
On 6/8/06, Max [EMAIL PROTECTED] wrote: What they need is just to provide an access to their distinguisher in the form of blackbox. To prove its meaningfulness, the distinguisher must show consistent results in distinguishing AES-encrypted data (say, for a fixed plaintext without repeating

Re: Status of attacks on AES?

2006-06-12 Thread Travis H.
On 6/12/06, Travis H. [EMAIL PROTECTED] wrote: I may be stepping into the crossfire here, but on my reading of their web page, they don't claim to be able to do that. Bleh, my misunderstanding. Forget that I flaunted my ignorance. -- Scientia Est Potentia -- Eppur Si Muove -- Admire

Re: Status of SRP

2006-06-02 Thread Travis H.
On 5/30/06, Derek Atkins [EMAIL PROTECTED] wrote: Quoting James A. Donald [EMAIL PROTECTED]: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? Patents. Seconded. When

Re: the meaning of linearity, was Re: picking a hash function to be encrypted

2006-05-18 Thread Travis H.
On 5/17/06, Kuehn, Ulrich [EMAIL PROTECTED] wrote: Given known plaintext and corresponding ciphertext, there should not be too many keys that map the plaintext to the ciphertext. I don't have the probability at hand how many such 'collisions' you would expect from 256 random permutations, but

Re: the meaning of linearity, was Re: picking a hash function to be encrypted

2006-05-18 Thread Travis H.
On 5/18/06, Travis H. [EMAIL PROTECTED] wrote: ... There's 255 other permutations, so the chance that there is at least one k' such that f_k'(x)=y is 255/256 = 99.6%. The chance that there is exactly one such k' is sampling with replacement and if I am not mistaken P(|K|=1) = (255/256)^255

anyone have New Hash Functions and their Use in Authentication and Set Equality

2006-05-17 Thread Travis H.
I've googled for New Hash Functions and their Use in Authentication and Set Equality and found several citations but no electronic copies. I don't have access to a library that might have it, does anyone here have one? Thanks.

Re: the meaning of linearity, was Re: picking a hash function to be encrypted

2006-05-15 Thread Travis H.
On 5/15/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Other than post by a guy - Terry someone or another - on sci.crypt a number of years ago - I've never seen any work in this direction. Is there stuff I'm not aware of? That would probably be Terry Ritter, www.ciphersbyritter.com. He calls

picking a hash function to be encrypted

2006-05-14 Thread Travis H.
So... Suppose I want a function to provide integrity and authentication, and that is to be combined with a stream cipher (as is the plaintext). I believe that authentication is free once I have integrity given the fact that the hash value is superencrypted using the stream cipher, whose key is

Re: picking a hash function to be encrypted

2006-05-14 Thread Travis H.
On 5/14/06, Eric Rescorla [EMAIL PROTECTED] wrote: Consider the case where you're transmitting message M. The hash is H(M). You then encrypt (M || H(M)), generating K XOR (M || H(M)). If the attacker knows M and H, he can compute (M || H(M)) and compute K. Then he can re-encrypt a message M' of

Re: picking a hash function to be encrypted

2006-05-14 Thread Travis H.
On 5/14/06, Victor Duchovni [EMAIL PROTECTED] wrote: Security is fragile. Deviating from well understood primitives may be good research, but is not good engineering. Especially fragile are: Point taken. This is not for a production system, it's a research thing. TLS (available via OpenSSL)

the meaning of linearity, was Re: picking a hash function to be encrypted

2006-05-14 Thread Travis H.
- Stream ciphers (additive) This reminds me, when people talk about linearity with regard to a function, for example CRCs, exactly what sense of the word do they mean? I can understand f(x) = ax + b being linear, but how exactly does XOR get involved, and are there +-linear functions and

Re: fyi: Deniable File System - Rubberhose

2006-05-02 Thread Travis H.
On 5/2/06, Ivan Krstic [EMAIL PROTECTED] wrote: I spent some time thinking about this a few years back: http://diswww.mit.edu/bloom-picayune/crypto/15520 Rubberhose was one of the things that came up, along with StegFS and BestCrypt. Unfortunately, it seems like Rubberhose hasn't seen work in

Intel microcode update encryption

2006-05-02 Thread Travis H.
http://microcodes.sourceforge.net/ There you can find a PDF reviewing the microcode update feature. Apparently the updates from Intel are 2048 bytes long overall, and have a 4-byte checksum, and are encrypted using some kind of mechanism on the processor. Since they don't (to my knowledge)

Re: PGP master keys

2006-05-01 Thread Travis H.
On 29 Apr 2006 02:00:18 -, StealthMonger [EMAIL PROTECTED] wrote: Interesting epilog: theregister has apparently now edited out all mention of master keys. They probably had their misunderstanding pointed out to them by countless people by now. But... did anyone else note the phrasing of

Re: encrypted file system issues (was Re: PGP master keys)

2006-05-01 Thread Travis H.
On 5/1/06, Perry E. Metzger [EMAIL PROTECTED] wrote: Not if you design it correctly. Disk encryption systems like CGD work on the block level, and do not propagate CBC operations across blocks, So is it vulnerable to any of the attacks here? http://clemens.endorphin.org/LinuxHDEncSettings I

what's wrong with HMAC?

2006-05-01 Thread Travis H.
Ross Anderson once said cryptically, HMAC has a long story attched to it - the triumph of the theory community over common sense He wouldn't expand on that any more... does anyone have an idea of what he is referring to? -- Curiousity killed the cat, but for a while I was a suspect -- Steven

Windows XP product activation, product keys, installation IDs, c.

2006-05-01 Thread Travis H.
In case you wondered what was behind those sequences of digits... Gory details here: http://www.licenturion.com/xp/fully-licensed-wpa.txt Ew, I think I have to take a shower now. -- Curiousity killed the cat, but for a while I was a suspect -- Steven Wright Security Guru for Hire

non-cartesian A codes and latin squares

2006-04-30 Thread Travis H.
Background: An A-code is a matrix E x M, where e is the encoding rule used, and m is the message the transmitter should send (output). The message to be authenticated (input) is s in { s_1 .. s_k }, and the contents of the matrix are members of such that every row (encoding rule) contains

non-cartesian A codes

2006-04-17 Thread Travis H.
Hi, does anyone have a web reference on how to construct matrices for non-cartesian A codes a la Simmons? I see descriptions of what they should look like, but no algorithms for creating them. -- Curiousity killed the cat, but for a while I was a suspect -- Steven Wright Security Guru for Hire

excellent wifi security page

2006-04-13 Thread Travis H.
http://www.drizzle.com/~aboba/IEEE/ -- Curiousity killed the cat, but for a while I was a suspect -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484

is breaking RSA at least as hard as factoring or vice-versa?

2006-04-02 Thread Travis H.
So I'm reading up on unconditionally secure authentication in Simmon's Contemporary Cryptology, and he points out that with RSA, given d, you could calculate e (remember, this is authentication not encryption) if you could factor n, which relates the two. However, the implication is in the less

Re: Linux RNG paper

2006-03-23 Thread Travis H.
I have examined the LRNG paper and have a few comments. CC'd to the authors so mind the followups. 1) In the paper, he mentions that the state file could be altered by an attacker, and then he'd know the state when it first came up. Of course, if he could do that, he could simply install a

  1   2   >