Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

*has* solved those vexing problems could extend the protection that they've gained to users of your protocol. 3. Maybe study ZRTP and tcpcrypt for comparison. Don't try to study foolscap, even though it is a very interesting practical approach, because there doesn't exist docume

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

Therefore, Ed25519 or RFC-6979-enhanced (EC)DSA is actually safer than RSA-PSS is with regard to this issue. Regards, Zooko ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] People should turn on PFS in TLS

our friendly neighborhood TLS implementor to move fast on http://tools.ietf.org/id/draft-josefsson-salsa20-tls-02.txt . Regards, Zooko ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Keeping backups (was Re: Separating concerns

e, and I have non-technical friends who use it and are totally > happy with the results. I wish there was an automated thing in Time > Machine to let me trade backups with an offsite friend as well. The Least-Authority Filesystem comes with a nice backup tool ("tahoe backu

Re: [Cryptography] What is the state of patents on elliptic curve cryptography?

Here's a nice resource: RFC 6090! https://tools.ietf.org/html/rfc6090 Also relevant: http://cr.yp.to/ecdh/patents.html I'd be keen to see a list of potentially-relevant patents which have expired or are due to expire within the next 5 years. Regards, Zooko Wilcox-O'Hearn Fo

[Cryptography] Open Letter to Phil Zimmermann and Jon Callas of Silent Circle, On The Closure of the “Silent Mail” Service

't offer voice, text, video, or email services, like Silent Circle does/did. What we offer is simply secure offsite *backup*, and a secure cloud storage API that people use to build other services. So we aren't competitors.) Regards, Zooko Wilcox-O'Hearn Founder, CEO, and Customer Sup

[Cryptography] LeastAuthority.com announces PRISM-proof storage service

encryption. It is possible. It isn't easy, but we just might make it! We welcome criticism, suggestions, and requests from you all. Regards, Zooko Wilcox-O'Hearn Founder, CEO, and Customer Support Rep https://LeastAuthority.com Freed

Tahoe-LAFS developers' statement on backdoors

other than the current core developers are possible. In that event, we would try to persuade any such forks to adopt a similar policy. The following Tahoe-LAFS developers agree with this statement: David-Sarah Hopwood Zooko Wilcox-O'Hearn Brian Warner Kevan Carstensen Frédéric Marti Jack Lloy

ANNOUNCING Tahoe, the Least-Authority File System, v1.8.0

ers in the public interest" who make Tahoe-LAFS possible. David-Sarah Hopwood and Zooko Wilcox-O'Hearn on behalf of the Tahoe-LAFS team September 23, 2010 Rainhill, Merseyside, UK and Boulder, Colorado, USA [1] http://tahoe-lafs.org/trac/tahoe/browser/relnotes.txt?rev=4579 [2] http:/

Re: Merkle Signature Scheme is the most secure signature scheme possible for general-purpose use

emd, SHA-2, and the SHA-3 candidates that this does hold! What do you think of that argument? Regards, Zooko [1] http://www.springerlink.com/content/d7pm142n58853467/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

ANNOUNCING Tahoe, the Least-Authority File System, v1.7.1

GEMENTS This is the fifth release of Tahoe-LAFS to be created solely as a labor of love by volunteers. Thank you very much to the team of "hackers in the public interest" who make Tahoe-LAFS possible. David-Sarah Hopwood and Zooko Wilcox-O'Hearn on behalf of the Tahoe-LAFS team

Re: 1280-Bit RSA

ith a better demonstration that they were generated with any possible "back door" than do the NIST curves [3]. Regards, Zooko [1] http://www.keylength.com/ [2] http://bench.cr.yp.to/results-sign.html [3] http://www.ecc-brainpool.org/download/draft-lochter-pkix-brain

ANNOUNCING Tahoe, the Least-Authority File System, v1.7.0

e progress they make. Regards, Zooko ANNOUNCING Tahoe, the Least-Authority File System, v1.7.0 The Tahoe-LAFS team is pleased to announce the immediate availability of version 1.7.0 of Tahoe-LAFS, an extremely reliable distributed storage system. Tahoe-LAFS is the first distributed storage syst

Merkle Signature Scheme is the most secure signature scheme possible for general-purpose use

t digital signature scheme that you can imagine. :-) """ In that note I go on to talk about more Tahoe-LAFS-specific engineering considerations and expose my ignorance about exactly what properties are required of the underlying secure hash functions. Regards, Zooko --

What's the state of the art in digital signatures? Re: What's the state of the art in factorization?

On Thu, Apr 22, 2010 at 12:40 PM, Jonathan Katz wrote: > On Thu, 22 Apr 2010, Zooko O'Whielacronx wrote: > >> Unless I misunderstand, if you read someone's plaintext without having >> the private key then you have proven that P=NP! … > The paper you cite reduce

Re: [cryptography] What's the state of the art in factorization?

or. Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

What's the state of the art in digital signatures? Re: What's the state of the art in factorization?

heme which has good properties (efficiency, simplicity, ease of implementation) and which is based on substantially different ideas and which isn't currently under patent protection (therefore excluding NTRUSign). Any ideas? [1] http://eprint.iacr.org/2007/019

Re: What's the state of the art in factorization?

also proven that P=NP! Unfortunately that one in particular doesn't provide digital signatures, only public key encryption, and what I most need for the One Hundred Year Cryptography project is digital signatures. Regards, Zooko [1] http://allmydata.org/pipermail/tahoe-dev/2010-April/date.

Re: What's the state of the art in factorization?

ral variant of our scheme that is secure against key-leakage attacks, as well as an oblivious transfer protocol that is secure against semi-honest adversaries. """ Unless I misunderstand, if you read someone's plaintext without having the

Re: Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto

way) or a 128 bits (i.e. you rely on the MAC and you want 128-bit crypto strength) or something in between. Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

hedging our bets -- in case SHA-256 turns out to be insecure

tance and pre-image resistance seem to follow the same pattern as collision-resistance -- C[H1, H2] seems to be much stronger than H1 or H2 alone. Regards, Zooko [1] http://extendedsubset.com/Renegotiating_TLS.pdf [2] http://allmydata.org/trac/tahoe/wiki/NewCaps/WhatCouldGoWrong [3] http://

Re: Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto

need to be random, they need only to be unique. Can you use a block number and birth number or other such guaranteed-unique data instead of storing an IV? (Apropos recent discussion on the cryptography list [2].) Regards, Zooko [1] http://hub.opensolaris.org/bin/download/Project+zfs%2Dcry

deterministic random numbers in crypto protocols -- Re: Possibly questionable security decisions in DNS root management

d point! But can't the one who verifies the signature also verify that the k was generated according to the prescribed technique? Regards, Zooko P.S. If you read this letter all the way to the end then please let me know. I try to make them short, but sometimes I think th

Re: [tahoe-dev] Bringing Tahoe ideas to HTTP

f why he finds the current solution unsatisfactory, perhaps because he assumed the audience already shared his view. (I think he mentioned something in his letter like "the well-known failures of the SSL/CA approach to this problem".)

Re: how to encrypt and integrity-check with only one key

following-up to my own post: On Monday,2009-09-14, at 10:22 , Zooko Wilcox-O'Hearn wrote: David-Sarah Hopwood suggested the improvement that the integrity- check value "V" could be computed as an integrity check (i.e. a secure hash) on the K1_enc in addition to the file c

how to encrypt and integrity-check with only one key

e decryption and integrity-checking of the ciphertext. Here is a diagram: [5] (also attached). David-Sarah Hopwood suggested the improvement that the integrity- check value "V" could be computed as an integrity check (i.e. a secure hash) on the K1_enc in addition to t

Re: RNG using AES CTR as encryption algorithm

And while you are at it, please implement these test vectors and report to Niels Ferguson: http://blogs.msdn.com/si_team/archive/2006/05/19/aes-test-vectors.aspx Regards, Zooko - The Cryptography Mailing List Unsubscribe by

Re: so how do *you* manage your keys, then? part 3

the wiki page where we're keeping our notes: [5]. If any smart cryptographer or hacker reading this wants to create secure, decentralized storage, please join us! We could use the help! :-) Regards, Zooko [1] http://allmydata.org/~zooko/lafs.pdf [2] http://allmydata

so how do *you* manage your keys, then? part 3

Installment 5 will be about future work and new crypto ideas. Regards, Zooko [1] http://allmydata.org/pipermail/tahoe-dev/2009-August/002637.html # installment 1: immutable file caps [2] http://allmydata.org/pipermail/tahoe-dev/2009-Au

Re: [tahoe-dev] a crypto puzzle about digital signatures and future compatibility

On Thursday,2009-08-27, at 19:14 , James A. Donald wrote: Zooko Wilcox-O'Hearn wrote: Right, and if we add algorithm agility then this attack is possible even if both SHA-2 and SHA-3 are perfectly secure! Consider this variation of the scenario: Alice generates a filecap and gives

Re: [tahoe-dev] a crypto puzzle about digital signatures and future compatibility

nus Torvalds , Perry Metzger, et al. that git users are vulnerable to exploitation by collisions. I'll try to write up my reasoning at some point.) Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

a crypto puzzle about digital signatures and future compatibility

o a v1.6 reader, asking him to inspect the file and then pass it on to his trusted, v1.7-using, partner? Hm... This at least suggests that the v1.7 readers need to check *all* hashes that are offered and raise an alarm if some verify and others don't. Is that good enough? :-/ Reg

Re: [tahoe-dev] Tahoe-LAFS key management, part 2: Tahoe-LAFS is like encrypted git

On Wednesday,2009-08-19, at 10:05 , Jack Lloyd wrote: On Wed, Aug 19, 2009 at 09:28:45AM -0600, Zooko Wilcox-O'Hearn wrote: [*] Linus Torvalds got the idea of a Cryptographic Hash Function Directed Acyclic Graph structure from an earlier distributed revision control tool named Mon

Tahoe-LAFS key management, part 2: Tahoe-LAFS is like encrypted git

hat convenience more than an extra degree of safety. I know of other people who keep their Tahoe-LAFS caps more securely, on Unix filesystems, on encrypted USB keys, etc.. Regards, Zooko [*] Linus Torvalds got the idea of a Cryptographic Hash Function Directed Acyclic Graph structure f

So how do *you* manage your keys, then? Re: [tahoe-dev] cleversafe says: 3 Reasons Why Encryption isOverrated

istributed, fault-tolerant key-value storage grid), and without having to know too much about how other programs or other humans on the same system are managing their caps. We owe thanks to many others including the authors of Self-certifying filesystem, Freenet, Mojo Nation a

strong claims about encryption safety Re: [tahoe-dev] cleversafe says: 3 Reasons Why Encryption isOverrated

me it is an excellent starting point for a modern study of the cryptographic issues. :-) I still do intend to follow-up on the subthread which I call "So how do *you* do key management, then?", which I consider to be the most important issue for practical security of systems like the

Re: [tahoe-dev] cleversafe says: 3 Reasons Why Encryption isOverrated

On Monday,2009-08-10, at 13:47 , Zooko Wilcox-O'Hearn wrote: This conversation has bifurcated, Oh, and while I don't mind if people want to talk about this on the tahoe-dev list, it doesn't have that much to do with tahoe-lafs anymore, now that we're done com

Re: [tahoe-dev] cleversafe says: 3 Reasons Why Encryption isOverrated

archive: http://www.mail-archive.com/cryptography@metzdowd.com/msg10680.html Here it is on the tahoe-dev mailing list archive. Note that threading is screwed up in our mailing list archive. :-( http://allmydata.org/pipermail/tahoe-dev/2009-August/subject.html#start Regards, Zooko

Re: cleversafe says: 3 Reasons Why Encryption is Overrated

safe alternatives such as keeping the data on your home computer or on your corporate server. The Cleversafe FUD doesn't help people understand the issues better. Regards, Zooko [1] http://allmydata.org/pipermail/tahoe-dev/2009-July/002482.html [2] http://allmydata.org/piperma

Re: cleversafe says: 3 Reasons Why Encryption is Overrated

[dropping tahoe-dev from Cc:] On Thursday,2009-08-06, at 2:52 , Ben Laurie wrote: Zooko Wilcox-O'Hearn wrote: I don't think there is any basis to the claims that Cleversafe makes that their erasure-coding ("Information Dispersal")-based system is fundamentally safer

Re: cleversafe says: 3 Reasons Why Encryption is Overrated

es in processing power e.g. reference to Moore's Law is confused. Advances in processing power would not be sufficient to crack modern cryptosystems and in many cases would not be necessary either. Okay I think that's it. I hope these notes are not so terse as to be confusing or inf

ANNOUNCING Tahoe, the Lofty-Atmospheric Filesystem, v1.5

ever), then you will be added to the Hall Of Fame at http://hacktahoe.org . :-) Regards, Zooko --- The Tahoe-LAFS team is pleased to announce the immediate availability of version 1.5 of Tahoe, the Lofty Atmospheric File System. Tahoe-LAFS is the first cloud storage technology which offers secur

Re: Fast MAC algorithms?

Poly1305 to VMAC, please report your measurement, at least to me privately if not to the list. I can use that sort of feedback to contribute improvements to the Crypto++ library. Thanks! Regards, Zooko Wilcox-O'Hearn --- Tahoe, the Least-Authority Filesystem -- http://allmydata.org

Re: cleversafe says: 3 Reasons Why Encryption is Overrated

. http://allmydata.org/pipermail/tahoe-dev/2009-July/002482.html Jason Resch of cleversafe has also been participating in the discussion on that list. Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending

cleversafe says: 3 Reasons Why Encryption is Overrated

he cleversafe architecture is just as susceptible to AES-256 failing as an encryption scheme such as is used in the Tahoe-LAFS architecture). But, it is time for me to stop reading about cryptography and get ready to go to work. :-) Regards Zooko --- Tahoe, the Least-Authority Fi

Re: 112-bit prime ECDLP solved

On Sunday,2009-07-19, at 13:24 , Paul Hoffman wrote: At 7:54 AM -0600 7/18/09, Zooko Wilcox-O'Hearn wrote: This involves deciding whether a 192-bit elliptic curve public key is strong enough... Why not just go with 256-bit EC (128-bit symmetric strength)? Is the 8 bytes per signatur

why hyperelliptic curves?

ivate- hyperelliptic-curve-based capabilities (in addition to RSA and ECDSA for backward compatibility). Regards, Zooko Wilcox-O'Hearn P.S. Oh, I told a lie in the interests of brevity when I said that file handles contain actual public keys or actual private keys. RSA keys are way

Re: 112-bit prime ECDLP solved

tic.org and jam...@echeque.com to the list of addresses that can post to tahoe-dev without being subscribed. Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Warning! New cryptographic modes!

ient capability- based access control scheme. Regards, Zooko [1] http://allmydata.org [2] http://allmydata.org/trac/tahoe/browser/docs/architecture.txt [3] http://duplicity.nongnu.org [4] http://podcast.utos.org/index.php?id=52 --

ANNOUNCING Tahoe-LAFS v1.4

pace and bandwidth to the open source project. Thank you to Allmydata, Inc. for their generous and public-spirited support. Zooko Wilcox-O'Hearn on behalf of the allmydata.org team Special acknowledgment goes to Brian Warner, whose superb engineering skills and dedication are primarily respon

ANNOUNCING allmydata.org "Tahoe", the Least-Authority Filesystem, v1.3

able, malfunctioning, or malicious." Such ambitious security goals benefit greatly from public criticism and review, so please kick the tires and let us know what you think. Regards, Zooko ANNOUNCING allmydata.org "Tahoe", the Least-Authority Filesystem, v1.3 We are pleased

Re: Proof of Work -> atmospheric carbon

s anyone have more detail about the scale and scope of these currencies? > My white paper could use a little updating, but the basic conclusions > remain sound: > > http://www.taugh.com/epostage.pdf Thanks! I'll read this. Regards, Zooko -

Re: ADMIN: no money politics, please

ently being involved in a project that might lead to a third attempt. Regards, Zooko --- http://allmydata.org -- Tahoe, the Least-Authority Filesystem http://allmydata.com -- back up all your files for $10/month - The Cryptog

multicore hash functions (was: 5x speedup for AES using SSE5?)

if you have a better way to think about parallelism of hash functions, I'm all ears. Thanks, Zooko --- http://allmydata.org -- Tahoe, the Least-Authority Filesystem http://allmydata.com -- back up all your files for $5/month

ANNOUNCING Allmydata.org "Tahoe", the Least-Authority Filesystem, v1.2

Dear people of the Cryptography mailing list: The Hack Tahoe! contest (http://hacktahoe.org ) has already led a security researchers to spot a flaw in our crypto design. This release fixes that flaw. Regards, Zooko ANNOUNCING Allmydata.org "Tahoe", the Least-Authority Filesy

ANNOUNCING the "Hack Tahoe!" contest

Folks: This contest is inspired by Sameer Parekh's "Hack Netscape!" contest in the fall of 1995. It is already eliciting some really good security insights from smart people. Regards, Zooko ANNOUNCING the "Hack Tahoe!" contest http://hacktahoe.org T

Re: how bad is IPETEE?

x27;s Obfuscated TCP: http://code.google.com/p/obstcp/ One of the design constraints for Obfuscated TCP was that an Obfuscated TCP connection is required to take zero more round trips to set up and use than a normal TCP connection. Way to go, Adam! Regards,

Re: Why doesn't Sun release the crypto module of the OpenSPARC?

esign around the assumptions of software crypto. Regards, Zooko [1] https://financialcryptography.com/mt/archives/001064.html [2] http://www.creativedestruction.com/archives/000937.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Why doesn't Sun release the crypto module of the OpenSPARC?

t NSA or some such shadowy agency bamboozled them into thinking that it would be illegal to release it, or threatened them with unfortunate coincidences if they went ahead, or persuaded them that GPL'ing it would aid terr

ANNOUNCING Allmydata.org "Tahoe", the Least-Authority Filesystem, v1.1

Inc. [13], a provider of consumer backup services. Allmydata, Inc. contributes hardware, software, ideas, bug reports, suggestions, demands, and money (employing several allmydata.org Tahoe hackers and instructing them to spend part of their work time on this free-software project). We are eternal

Why doesn't Sun release the crypto module of the OpenSPARC? Crypto export restrictions!

("N2" is the development code-name for the most recent OpenSPARC -- its product name is "T2".) Appended is my reply. If anyone on this list knows more about the relevant export regulations, please share. Regards, Zooko [1] http://www.opensparc.net/opensparc-t2/d

Re: The perils of security tools

On May 24, 2008, at 9:18 PM, Steven M. Bellovin wrote: I believe that all open source Unix-like systems have /dev/random and /dev/urandom; Solaris does as well. By the way, Solaris is an open source Unix-like system nowadays. ;-) Regards, Zooko

OpenSparc -- the open source chip (except for the crypto parts)

pen sparc community support" e-mail address, and the Sun "open source ombudsman", Simon Phipps. None of them ever wrote back. This experience rather dampened my enthusiasm about relying on T2 hardware as a higher-assurance, but still pretty commo

Re: [p2p-hackers] convergent encryption reconsidered -- salting and key-strengthening

l benefits to be gained then I will revisit this issue and perhaps I will be forced to rely on an argument of the other form -- that users are unlikely to use it in an unsafe way. Thank you again for your thoughtful comments on this issue. Regards, Zooko O'Whielacronx

convergent encryption reconsidered -- salting and key-strengthening

it is not needed because the "s = random()" part of the algorithm locks out all attackers except those with whom s is shared from mounting such an attack at all. Thank you for your comments on this issue. If you have further ideas, especially as would be relevant to the Tahoe L

announcing allmydata.org "Tahoe", the Least-Authority Filesystem, v1.0

a, Inc. [10], a provider of consumer backup services. Allmydata, Inc. contributes hardware, software, ideas, bug reports, suggestions, demands, and money (employing several allmydata.org Tahoe hackers and instructing them to spend part of their work time on this free-software project). We are eternally

Re: [p2p-hackers] convergent encryption reconsidered

user were using it with files that she intended not to divulge, but that were susceptible to being brute-forced in this way by an attacker. On Mar 20, 2008, at 10:56 PM, Jim McCoy wrote: On Mar 20, 2008, at 12:42 PM, zooko wrote: Security engineers have always appreciated that converge

Fwd: [tahoe-dev] [p2p-hackers] convergent encryption reconsidered

Dear Perry Metzger: Jim McCoy asked me to forward this, as he is not subscribed to cryptography@metzdowd.com, so his posting bounced. Regards, Zooko Begin forwarded message: From: Jim McCoy <[EMAIL PROTECTED]> Date: March 20, 2008 10:56:58 PM MDT To: theory and practice of decentr

convergent encryption reconsidered

(This is an ASCII rendering of https://zooko.com/ convergent_encryption_reconsidered.html .) Convergent Encryption Reconsidered Written by Zooko Wilcox-O'Hearn, documenting ideas due to Drew Perttula, Brian Warner, and Zooko Wilcox-O'Hearn, 2008-03-20.

announcing allmydata.org "Tahoe" v0.9

llowing them to spend part of their work time on the next-generation, free-software project). We are eternally grateful! Zooko O'Whielacronx on behalf of the allmydata.org team March 13, 2008 Boulder, Colorado, USA [1] http://allmydata.org/trac/tahoe/browser/relnotes.txt?rev=2183 [2] http://al

announcing allmydata.org "Tahoe" v0.8

as, bug reports, suggestions, demands, and money (employing several allmydata.org Tahoe hackers and allowing them to spend part of their work time on the next-generation, free-software project). We are eternally grateful! Zooko O'Whielacronx on behalf of the allmydata.org team February 15

Re: [tahoe-dev] Surely M$ can patent this process?

7;s an interesting puzzle of intellectual history. The idea certainly seems to have been "in the air", as both Mojo Nation and Freenet were working on it before the May 2000 patent submission by Doceur et al., but Mojo Nation and Freenet each published the idea shortly after May 2000

announcing Allmydata-Tahoe v0.7

27;ve done a good job of designing and implementing this securely, we know that this kind of thing can have subtle problems, and we would welcome peer review of what we've done, as well as ideas of what we should do. Regards, Zooko O'Whielacronx ANNOUNCING: Allmydata-Tahoe vers

Re: crypto class design

on it? I'm curious if your crypto library is to be implemented by use of another one, perhaps an open-source one that I am familiar with. Nowadays I prefer Crypto++ [1]. Regards, Zooko [1] http://cryptopp.com/

Re: Fingerprint Firefox Plugin?

something that appears to be your bank account. So, the thing about writing down certificates and mapping them to short hand-written notes is what the Pet Name Toolbar automates for you: https://addons.mozilla.org/en-US/firefox/addon/957 Please let us know how it works for you. Regards,

Re: no surprise - Sun fails to open source the crypto part of Java

t on PKI style certificates for signing, ... The most important motivation at the time was to avoid the risk of Java being export-controlled as crypto. The theory within Sun was that "crypto with a hole" would be fre

switching from SHA-1 to Tiger ?

in a hash function is more important than speed in encryption. By the way, the traditional practice of using a hash function as a component of a MAC should, in my humble opinion, be retired in favor of the Carter-Wegman alternative such as Poly-1305 AES [7]. Regards, Zooko [1] http://allmyda

Re: entropy depletion

engineering, etc. outweighs the chance of a successful attack due to cryptanalysis of the PRNG, which is why I use /dev/urandom exclusively [*, **]. You may weigh those trade-offs differently, but you shouldn't think that by decrementing entropy_count you are achieving information-theore

Re: The Pointlessness of the MD5 "attacks"

: Alice is vulnerable to Charles's choice of package because she trusts Bob to choose packages and Bob trusts Charles to provide image files. And because they are using a non-collision-resistant hash function. Regards, Zooko - T

Re: potential new IETF WG on anonymous IPSec

On 2004, Sep 11, , at 17:20, Sandy Harris wrote: Zooko O'Whielcronx wrote: I believe that in the context of e-mail [1, 2, 3, 4] and FreeSWAN this is called "opportunistic encryption". That is certainly not what FreeS/WAN meant by "opportunistic encryption"

Re: potential new IETF WG on anonymous IPSec

that in the context of e-mail [1, 2, 3, 4] and FreeSWAN this is called "opportunistic encryption". Regards, Zooko [1] http://www.templetons.com/brad/crypt.html [2] http://bitconjurer.org/envelope.html [3] http://pps.sourceforge.net/ [4] http:

Re: Humorous anti-SSL PR

ch of such ideas, but I have not yet read your book on TLS. Thanks, Zooko [1] http://www.terisa.com/shttp/current.txt - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Protection against offline dictionary attack on static files

ely used key- strengthening of iterated hashing. [1] http://www.cse.ucsc.edu/~abadi [2] http://research.microsoft.com/users/needham/ [3] http://citeseer.nj.nec.com/manber96simple.html [4] http://www.cse.ucsc.edu/~abadi/Papers/pwd-revised.ps """ Regards, Zooko ---

Re: Simple SSL/TLS - Some Questions

dy interactive license chooser at http://pgl.yoyo.org/lqr/, and it said the following. I may have misunderstood your desiderata though, so don't take my word for it. ;-) Regards, Zooko License | Hackers like accepting code under it | | Combine with proprietary

Re: OOAPI-SSL/TLS (Was: Simple SSL/TLS - Some Questions)

ably simple (no templates) then SWIG > (http://www.swig.org) will make the scripting language glue code for you > automatically. I use SWIG and like it. They say that the new SWIG handles templates better than good old 1.1. I haven't tried SWIG on Crypto++. I would really *like* for someone el

Re: how to defeat MITM using plain DH, Re: anonymous DH & MITM

probably for an adversary to compromise all of them. """ Regards, Zooko [1] http://cypherpunks.venona.com/date/1995/10/msg00668.html [2] http://www.cacr.math.uwaterloo.ca/hac/ - The Cryptography Mailing Lis

Re: anonymous DH & MITM

f of the ciphertext at a time seems peripheral. The same qualities would arise if this were implemented with a different commitment protocol, such as sending a secure hash of the tuple of (my_message, a_random_nonce). Regards, Zoo

Strong-Enough Pseudonymity as Functional Anonymity

it might be nice to have Goal B achievable in a certain setting where Goal A remains unachievable. Regards, Zooko the Zoogulant - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: anonymous DH & MITM

> Perhaps I spoke too soon? It's not in Eurocrypt or Crypto 84 or 85, > which are on my shelf. Where was it published? R. L. Rivest and A. Shamir. How to expose an eavesdropper. Communications of the ACM, 27:393-395, April 1984.

Full-Duplex-Chess Grandmaster (was: anonymous DH & MITM)

against one of them and winning. I certainly don't claim that the Interlock Protocol can prevent Mitch from playing a game with one person and also playing a game with a second person, but I do claim that it can prevent Mitch from

Re: anonymous DH & MITM

are brilliant and well-read cryptographers. However the Interlock Protocol provides a counter-example to that intuition! (Not for Chess Grandmaster, but for a full-duplex protocol such as Bughouse Grandmaster). There are other counter-examples in the literature, which I would be happy to

Re: anonymous DH & MITM

I'm not sure it is the same definition that other people are thinking of. Anyway, it is a funny and underappreciated niche in cryptography, IMO. AFAIK nobody has yet spelled out in the open literature what the actual theoretical limitations are. Regards, Zooko http://zooko.com/log.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Reliance on Microsoft called risk to U.S. security

File -> Save As" dialogs also serves as a Least-Privilege-enforcing access control system which protects even a naive and lazy user from a malicious text editor. See also Ping Yee's research in secure Human Interface. Regards, Zooko O'Whielacronx http://zooko.com/log.html -

Re: Crypto Hygiene?

that I am one of those who is inventing my own secure comms layer. But you don't have to cotton to that idea in order to enjoy the small bibliography. Regards, Zooko http://zooko.com/log.html - The Cryptography Mai

Re: Announcing httpsy://, a YURL scheme

at Alice meant for him to see. Regards, Zooko http://zooko.com/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Announcing httpsy://, a YURL scheme

notion that SFS applies to remote filesystems. It is an excellent idea. Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: replay & integrity

* provide functionality sufficient for these sorts of apps, but I am saying that the notion of replay-prevention and integrity which is implemented in TLS is insufficient for these sorts of apps, and that I'm interested in attempts to offer a higher-level abstraction. Regards, Zooko htt

Re: Nullsoft's WASTE communication system

ldn't. Regards, Zooko http://zooko.com/ ^-- under re-construction: some new stuff, some broken links [1] http://planeta.terra.com.br/informatica/paulobarreto/AnubisPage.html > AES has gotten a lot of attention, and right now, it's the high-prestige > target. (Among other