Re: [Cryptography] NIST about to weaken SHA3?

2013-09-30 Thread Viktor Dukhovni
On Mon, Sep 30, 2013 at 05:45:52PM +1000, James A. Donald wrote: On 2013-09-30 14:34, Viktor Dukhovni wrote: On Mon, Sep 30, 2013 at 05:12:06AM +0200, Christoph Anton Mitterer wrote: Not sure whether this has been pointed out / discussed here already (but I guess Perry will reject my mail

Re: [Cryptography] NIST about to weaken SHA3?

2013-09-30 Thread Viktor Dukhovni
On Tue, Oct 01, 2013 at 07:21:03AM +1000, James A. Donald wrote: On 2013-10-01 00:44, Viktor Dukhovni wrote: Should one also accuse ESTREAM of maliciously weakening SALSA? Or might one admit the possibility that winning designs in contests are at times quite conservative and that one can

Re: [Cryptography] RSA equivalent key length/strength

2013-09-29 Thread Viktor Dukhovni
On Mon, Sep 30, 2013 at 10:07:14AM +1000, James A. Donald wrote: Therefore, everyone should use Curve25519, which we have every reason to believe is unbreakable. Superceded by the improved Curve1174. http://cr.yp.to/elligator/elligator-20130527.pdf -- Viktor.

Re: [Cryptography] NIST about to weaken SHA3?

2013-09-29 Thread Viktor Dukhovni
On Mon, Sep 30, 2013 at 05:12:06AM +0200, Christoph Anton Mitterer wrote: Not sure whether this has been pointed out / discussed here already (but I guess Perry will reject my mail in case it has): https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3 I call FUD. If progress is to

Re: [Cryptography] RSA equivalent key length/strength

2013-09-28 Thread Viktor Dukhovni
On Fri, Sep 27, 2013 at 11:23:27AM -0400, Phillip Hallam-Baker wrote: Actually, it turns out that the problem is that the client croaks if the server tries to use a key size that is bigger than it can handle. Which means that there is no practical way to address it server side within the

Re: [Cryptography] RSA equivalent key length/strength

2013-09-24 Thread Viktor Dukhovni
On Sat, Sep 21, 2013 at 05:07:02PM -0700, Patrick Pelletier wrote: and there was a similar discussion on the OpenSSL list recently, with GnuTLS getting blamed for using the ECRYPT recommendations rather than 1024: http://www.mail-archive.com/openssl-users@openssl.org/msg71899.html GnuTLS

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Viktor Dukhovni
On Tue, Sep 17, 2013 at 11:48:40PM -0700, Christian Huitema wrote: Given that many real organizations have hundreds of front end machines sharing RSA private keys, theft of RSA keys may very well be much easier in many cases than broader forms of sabotage. Or we could make it easy to

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Viktor Dukhovni
On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: This is only realistic with DANE TLSA (certificate usage 2 or 3), and thus will start to be realistic for SMTP next year (provided DNSSEC gets off the ground) with the release of Postfix 2.11, and with luck also a DANE-capable

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-18 Thread Viktor Dukhovni
On Wed, Sep 18, 2013 at 08:47:17PM +, Viktor Dukhovni wrote: On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote: This is only realistic with DANE TLSA (certificate usage 2 or 3), and thus will start to be realistic for SMTP next year (provided DNSSEC gets off the ground

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-17 Thread Viktor Dukhovni
On Tue, Sep 17, 2013 at 05:01:12PM -0400, Perry E. Metzger wrote: (Note that this assumes no cryptographic breakthroughs like doing discrete logs over prime fields easily or (completely theoretical since we don't really know how to do it) sabotage of the elliptic curve system in use.)

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-11 Thread Viktor Dukhovni
On Tue, Sep 10, 2013 at 12:56:16PM -0700, Bill Stewart wrote: I thought the normal operating mode for PFS is that there's an initial session key exchange (typically RSA) and authentication, which is used to set up an encrypted session, and within that session there's a DH or ECDH key exchange

[Cryptography] Time for djb's Edwards curves in TLS?

2013-09-10 Thread Viktor Dukhovni
Is there a TLS WG draft adding djb's Curve1174 to the list of named curves supported by TLS? If there's credible doubt about the safety of the NIST curves, it seems that Curve1174 (in Edwards form) would make a good choice for EECDH, perhaps coupled with a similar curve with ~512 bits. Slides

[Cryptography] Speaking of EDH (GnuTLS interoperability)

2013-09-08 Thread Viktor Dukhovni
Some of you may have seen my posts to postfix-users and openssl-users, if so, apologies for the duplication. http://archives.neohapsis.com/archives/postfix/2013-09/thread.html#80 http://www.mail-archive.com/openssl-users@openssl.org/index.html#71903 The short version is that while everyone

Re: [Cryptography] Techniques for malevolent crypto hardware

2013-09-08 Thread Viktor Dukhovni
On Sun, Sep 08, 2013 at 06:16:45PM -0400, John Kelsey wrote: I don't think you can do anything useful in crypto without some good source of random bits. If there is a private key somewhere (say, used for signing, or the public DH key used alongside the ephemeral one), you can combine the