On Tue, Sep 10, 2013 at 2:04 PM, Joe Abley wrote:
> As an aside, I see CAs with Chinese organisation names in my browser list.
I wouldn't pick on/fear/call out the Chinese specifically.
Also, be aware that browsers must transitively trust all the issuers
that the known trust anchors have issued
On 2013-09-10, at 17:35, Ben Laurie wrote:
> On 10 September 2013 22:04, Joe Abley wrote:
>
>> Suppose Mallory has access to the private keys of CAs which are in "the"
>> browser list or otherwise widely-trusted.
>>
>> An on-path attack between Alice and Bob would allow Mallory to terminate
On Tue, 10 Sep 2013 17:04:51 -0400 Joe Abley
wrote:
> On 2013-09-09, at 12:04, "Salz, Rich" wrote:
>
> > then maybe it's not such a "silly accusation" to think that
> > root CAs are routinely distributed to multinational secret
> > services to perform MITM session decryption on any form of
> > c
On 10 September 2013 22:04, Joe Abley wrote:
> Suppose Mallory has access to the private keys of CAs which are in "the"
> browser list or otherwise widely-trusted.
>
> An on-path attack between Alice and Bob would allow Mallory to terminate
> Alice's TLS connection, presenting an opportunisticall
On 2013-09-09, at 12:04, "Salz, Rich" wrote:
> ➢ then maybe it's not such a "silly accusation" to think that root CAs are
> routinely distributed to multinational secret
> ➢ services to perform MITM session decryption on any form of communication
> that derives its security from the CA PKI.
>
> On Mon, Sep 09, 2013 at 06:41:23AM -0700, Andreas Davour wrote:
>> >So there *is* a BTNS implementation, after all. Albeit
>> >only for OpenBSD -- but this means FreeBSD is next, and
>> >Linux to follow.
>>
>> I might add that as far as I know, this work has not been picked up
>> yet by
>
> From: Eugen Leitl
>Forwarded with permission.
[snip]
> http://hack.org/mc/projects/btns/
>So there *is* a BTNS implementation, after all. Albeit
>only for OpenBSD -- but this means FreeBSD is next, and
>Linux to follow.
I might add that as far as I know, thi
➢ then maybe it's not such a "silly accusation" to think that root CAs are
routinely distributed to multinational secret
➢ services to perform MITM session decryption on any form of communication
that derives its security from the CA PKI.
How would this work, in practice? How would knowing a
> * NSA employees participted throughout, and occupied leadership roles
> in the committee and among the editors of the documents
> Slam dunk. If the NSA had wanted it, they would have designed it themselves.
> The only
> conclusion for their presence that is rational is to sabotage it
Hi Jeffery,
On 8/09/13 02:52 AM, Jeffrey I. Schiller wrote:
The IETF was (and probably still is) a bunch of hard working
individuals who strive to create useful technology for the
Internet.
Granted! I do not want to say that the IETF people are in a conspiracy
with someone or each other, o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Sep 06, 2013 at 05:22:26PM -0700, John Gilmore wrote:
> Speaking as someone who followed the IPSEC IETF standards committee
> pretty closely, while leading a group that tried to implement it and
> make so usable that it would be used by default
Subject: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
X-Mailer: YahooMailWebService/0.8.156.576
Reply-To: Andreas Davour
> Apropos IPsec, I've tried searching for any BTNS (opportunistic encryption
> mode for
> IPsec) implementations, and even the authors of the
> 3) Shortly after the token indictment of Zimmerman (thus prompting widespread
> use and promotion of the RSA public key encryption algorithm), the Clinton
> administration's FBI then advocated a relaxation of encryption export
> regulations in addition to dropping all plans for the Clipper chi
On Sat, Sep 7, 2013 at 6:50 PM, John Gilmore wrote:
> PS: My long-standing domain registrar (enom.com) STILL doesn't support
> DNSSEC records -- which is why toad.com doesn't have DNSSEC
> protection. Can anybody recommend a good, cheap, reliable domain
> registrar who DOES update their software
Hi,
http://www.youtube.com/watch?v=K8EGA834Nok
Is DNSSEC is really the right solution?
Daniel
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On Sep 7, 2013, at 11:45 PM, John Kelsey wrote:
> Let's suppose I design a block cipher such that, with a randomly generated
> key and 10,000 known plaintexts, I can recover that key At this point,
> what I have is a trapdoor one-way function. You generate a random key K and
> then compute
On Sat, Sep 7, 2013 at 9:50 PM, John Gilmore wrote:
> > >> First, DNSSEC does not provide confidentiality. Given that, it's not
> > >> clear to me why the NSA would try to stop or slow its deployment.
>
> DNSSEC authenticates keys that can be used to bootstrap
> confidentiality. And it does so
On Sat, Sep 7, 2013 at 10:35 PM, Gregory Perry
wrote:
> >On 09/07/2013 09:59 PM, Phillip Hallam-Baker wrote:
> >
> >Anyone who thinks Jeff was an NSA mole when he was one of the main people
> behind the MIT version of PGP and the distribution of Kerberos is >talking
> daft.
> >
> >I think that t
On Sat, Sep 7, 2013 at 8:53 PM, Gregory Perry wrote:
> On 09/07/2013 07:52 PM, Jeffrey I. Schiller wrote:
> > Security fails on the Internet for three important reasons, that have
> > nothing to do with the IETF or the technology per-se (except for point
> > 3).
> > 1. There is little market for
Let's suppose I design a block cipher such that, with a randomly generated key
and 10,000 known plaintexts, I can recover that key. For this to be useful in
a world with relatively sophisticated cryptanalysts, I must have confidence
that it is extremely hard to find my trapdoor, even when you c
On 09/06/2013 05:58 PM, Jon Callas wrote:
We know as a mathematical theorem that a block cipher with a back
door *is* a public-key system. It is a very, very, very valuable
thing, and suggests other mathematical secrets about hitherto
unknown ways to make fast, secure public key systems.
I've
> >> First, DNSSEC does not provide confidentiality. Given that, it's not
> >> clear to me why the NSA would try to stop or slow its deployment.
DNSSEC authenticates keys that can be used to bootstrap
confidentiality. And it does so in a globally distributed, high
performance, high reliability d
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, Sep 07, 2013 at 09:14:47PM +, Gregory Perry wrote:
> And this is exactly why there is no real security on the Internet.
> Because the IETF and standards committees and working groups are all
> in reality political fiefdoms and technological
On 09/07/2013 05:03 PM, Phillip Hallam-Baker wrote:
Good theory only the CA industry tried very hard to deploy and was prevented
from doing so because Randy Bush abused his position as DNSEXT chair to prevent
modification of the spec to meet the deployment requirements in .com.
DNSSEC would hav
On Sat, Sep 7, 2013 at 5:19 AM, ianG wrote:
> On 7/09/13 10:15 AM, Gregory Perry wrote:
>
> Correct me if I am wrong, but in my humble opinion the original intent
>> of the DNSSEC framework was to provide for cryptographic authenticity
>> of the Domain Name Service, not for confidentiality (alth
On 09/07/2013 04:20 PM, Phillip Hallam-Baker wrote:
Before you make silly accusations go read the VeriSign Certificate Practices
Statement and then work out how many people it takes to gain access to one of
the roots.
The Key Ceremonies are all videotaped from start to finish and the auditors
On 09/07/13 05:19, ianG wrote:
If so, then the domain owner can deliver a public key with authenticity using
the DNS.
This strikes a deathblow to the CA industry. This threat is enough for CAs to
spend a significant amount
of money slowing down its development [0].
unfortunately as far as SS
On Sat, Sep 7, 2013 at 3:13 PM, Gregory Perry wrote:
> >If so, then the domain owner can deliver a public key with authenticity
> >using the DNS. This strikes a deathblow to the CA industry. This
> >threat is enough for CAs to spend a significant amount of money slowing
> >down its development [
First, DNSSEC does not provide confidentiality. Given that, it's not
clear to me why the NSA would try to stop or slow its deployment.
If it isn't, then you haven't considered its likely effects.
First of all, it makes CA's visibly redundant. If people stop using
CA's that multiplies the nu
On Sat, Sep 7, 2013 at 2:19 AM, ianG wrote:
> On 7/09/13 10:15 AM, Gregory Perry wrote:
>
> Correct me if I am wrong, but in my humble opinion the original intent
>> of the DNSSEC framework was to provide for cryptographic authenticity
>> of the Domain Name Service, not for confidentiality (alth
On Sat, 7 Sep 2013, Gregory Perry wrote:
Insecure DNS deployments are probably in the top five attack vectors
for remotely compromising internal network topologies, even those
sporting split DNS configurations. As you were "...deeply involved in the
IETF's DNSEXT working group" then I presume y
>If so, then the domain owner can deliver a public key with authenticity
>using the DNS. This strikes a deathblow to the CA industry. This
>threat is enough for CAs to spend a significant amount of money slowing
>down its development [0].
>
>How much more obvious does it get [1] ?
The PKI indust
On Sep 7, 2013, at 12:31 AM, Jon Callas wrote:
>> I'm sorry, but this is just nonsense. You're starting with informal, rough
>> definitions and claiming a mathematical theorem.
>
> Actually, I'm doing the opposite. I'm starting with a theorem and arguing
> informally from there
Actually, if
On 7/09/13 10:15 AM, Gregory Perry wrote:
Correct me if I am wrong, but in my humble opinion the original intent
of the DNSSEC framework was to provide for cryptographic authenticity
of the Domain Name Service, not for confidentiality (although that
would have been a bonus).
If so, then the d
On Fri, Sep 06, 2013 at 09:19:07PM -0400, Derrell Piper wrote:
> ...and to add to all that, how about the fact that IPsec was dropped as a
> 'must implement' from IPv6 sometime after 2002?
Apropos IPsec, I've tried searching for any BTNS (opportunistic encryption mode
for
IPsec) implementations,
On 7/09/13 03:58 AM, Jon Callas wrote:
Could an encryption algorithm be explicitly designed to have properties like this? I
don't know of any, but it seems possible. I've long suspected that NSA might want this
kind of property for some of its own systems: In some cases, it completely contr
On 7/09/13 01:51 AM, Peter Gutmann wrote:
ianG writes:
And, controlling processes is just what the NSA does.
https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html
How does '(a) Organizations and Conferences' differ from SOP for these sorts
of things?
In principle, it doesn
>As an opponent of DNSSEC opt-in back in the day, I think this is a
>poor example of NSA influence in the standards process.
>
>I do not challenge PHB's "theory that the NSA has plants in the
>IETF to discourage moves to strong crypto", particularly given John
>Gilmore's recent message on IPSEC, bu
On Thu, 5 Sep 2013, Phillip Hallam-Baker wrote:
* Allowing deployment of DNSSEC to be blocked in 2002(sic) by
blocking a technical change that made it possible to deploy in
.com.
As an opponent of DNSSEC opt-in back in the day, I think this is a
poor example of NSA influence in the standards
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 8:22 PM, Jerry Leichter wrote:
> I'm sorry, but this is just nonsense. You're starting with informal, rough
> definitions and claiming a mathematical theorem.
Actually, I'm doing the opposite. I'm starting with a theorem and arg
On Sep 6, 2013, at 8:58 PM, Jon Callas wrote:
>> I've long suspected that NSA might want this kind of property for some of
>> its own systems: In some cases, it completely controls key generation and
>> distribution, so can make sure the system as fielded only uses "good" keys.
>> If the algo
On Sep 6, 2013, at 8:22 PM, John Gilmore wrote:
> Speaking as someone who followed the IPSEC IETF standards committee
> pretty closely, while leading a group that tried to implement it and
> make so usable that it would be used by default throughout the
> Internet, I noticed some things:
...and
On 9/6/2013 1:05 PM, Perry E. Metzger wrote:
I have re-read the NY Times article. It appears to only indicate that
this was *a* standard that was sabotaged, not that it was the only
one. In particular, the Times merely indicates that they can now
confirm that this particular standard was sabota
...and to add to all that, how about the fact that IPsec was dropped as a 'must
implement' from IPv6 sometime after 2002?
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
The cryptography mailing list
cryptography@metzdowd.com
h
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 6:23 AM, Jerry Leichter wrote:
> Is such an attack against AES *plausible*? I'd have to say no. But if you
> were on the stand as an expert witness and were asked under cross-examination
> "Is this *possible*?", I contend the o
Speaking as someone who followed the IPSEC IETF standards committee
pretty closely, while leading a group that tried to implement it and
make so usable that it would be used by default throughout the
Internet, I noticed some things:
* NSA employees participted throughout, and occupied leadershi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 4:42 AM, Jerry Leichter wrote:
> Argh! And this is why I dislike using "symmetric" and "asymmetric" to
> describe cryptosystems: In English, the distinction is way too brittle.
> Just a one-letter difference - and in includin
On 6/09/13 08:04 AM, John Kelsey wrote:
It is possible Dual EC DRBG had its P and Q values generated to insert a
trapdoor, though I don't think anyone really knows that (except the people who
generated it, but they probably can't prove anything to us at this point).
It's also immensely slowe
Following up on my own posting:
> [The NSA] want to buy COTS because it's much cheap, and COTS is based on
> standards. So they have two contradictory constraints: They want the stuff
> they buy secure, but they want to be able to break in to exactly the same
> stuff when anyone else buys it.
ianG writes:
> And, controlling processes is just what the NSA does.
>
> https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html
How does '(a) Organizations and Conferences' differ from SOP for these sorts
of things?
Peter.
___
The crypto
On 6/09/13 11:32 AM, ianG wrote:
And, controlling processes is just what the NSA does.
https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html
Oops, for those unfamiliar with CAcert's peculiar use of secure
browsing, drop the 's' in the above URL. Then it will securely load.
On Fri, 6 Sep 2013 09:03:27 +0200 Kristian Gjøsteen
wrote:
> As a co-author of an analysis of Dual-EC-DRBG that did not
> emphasize this problem (we only stated that Q had to be chosen at
> random, Ferguson &co were right to emphasize this point), I would
> like to ask:
>
> Has anyone, anyw
On 2013-09-06 12:31 PM, Jerry Leichter wrote:
Another interesting goal: "Shape worldwide commercial cryptography marketplace to make it more tractable to advanced
cryptanalytic capabilities being developed by NSA/CSS." Elsewhere, "enabling access" and "exploiting systems
of interest" and "ins
On 6/09/13 04:50 AM, Peter Gutmann wrote:
"Perry E. Metzger" writes:
At the very least, anyone whining at a standards meeting from now on that
they don't want to implement a security fix because "it isn't important to
the user experience" or adds minuscule delays to an initial connection or
wh
On Fri, Sep 6, 2013 at 3:03 AM, Kristian Gjøsteen <
kristian.gjost...@math.ntnu.no> wrote:
> Has anyone, anywhere ever seen someone use Dual-EC-DRBG?
>
> I mean, who on earth would be daft enough to use the slowest possible
> DRBG? If this is the best NSA can do, they are over-hyped.
>
It
On Sep 6, 2013, at 7:28 AM, Jerry Leichter wrote:
> ...Much of what you say later in the message is that the way we are using
> symmetric-key systems (CA's and such)...
Argh! And this is why I dislike using "symmetric" and "asymmetric" to describe
cryptosystems: In English, the distinction is w
>> Perhaps it's time to move away from public-key entirely! We have a classic
>> paper - Needham and Schroeder, maybe? - showing that private key can do
>> anything public key can; it's just more complicated and less efficient.
>
> Not really. The Needham-Schroeder you're thinking of is the ess
5. sep. 2013 kl. 23:14 skrev Tim Dierks :
> I believe it is Dual_EC_DRBG. The ProPublica story says:
> Classified N.S.A. memos appear to confirm that the fatal weakness, discovered
> by two Microsoft cryptographers in 2007, was engineered by the agency. The
> N.S.A. wrote the standard and aggre
On Fri, 6 Sep 2013 01:19:10 -0400
John Kelsey wrote:
> I don't see what problem would actually be solved by dropping public
> key crypto in favor of symmetric only designs. I mean, if the
> problem is that all public key systems are broken, then yeah, we will
> have to do something else. But if
On Thu, Sep 05, 2013 at 04:11:57PM -0400, Phillip Hallam-Baker wrote:
> If a person at Snowden's level in the NSA had any access to information
Snowden didn't have clearance for that information. He's being described
as 'brilliant' and purportedly was able to access documents far beyond his
lev
I don't see what problem would actually be solved by dropping public key crypto
in favor of symmetric only designs. I mean, if the problem is that all public
key systems are broken, then yeah, we will have to do something else. But if
the problem is bad key generation or bad implementations, t
> On Thu, 5 Sep 2013 19:14:53 -0400 John Kelsey
> wrote:
>> First, I don't think it has anything to do with Dual EC DRGB. Who
>> uses it?
>
> It did *seem* to match the particular part of the story about a
> subverted standard that was complained about by Microsoft
> researchers. I would not cl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 8:24 PM, Jerry Leichter wrote:
>>> Another interesting goal: "Shape worldwide commercial cryptography
>>> marketplace to make it more tractable to advanced cryptanalytic
>>> capabilities being developed by NSA/CSS." ... This ma
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 8:02 PM, Jerry Leichter wrote:
> Perhaps it's time to move away from public-key entirely! We have a classic
> paper - Needham and Schroeder, maybe? - showing that private key can do
> anything public key can; it's just more comp
>> Another interesting goal: "Shape worldwide commercial cryptography
>> marketplace to make it more tractable to advanced cryptanalytic capabilities
>> being developed by NSA/CSS." ... This makes any NSA recommendation
>> *extremely* suspect. As far as I can see, the bit push NSA is making th
On Sep 5, 2013, at 10:19 PM, Jon Callas wrote:
> I don't disagree by any means, but I've been through brittleness with both
> discrete log and RSA, and it seems like only a month ago that people were
> screeching to get off RSA over to ECC to avert the "cryptocalypse." And that
> the ostensible
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 7:31 PM, Jerry Leichter wrote:
> Another interesting goal: "Shape worldwide commercial cryptography
> marketplace to make it more tractable to advanced cryptanalytic capabilities
> being developed by NSA/CSS." Elsewhere, "enabl
The actual documents - some of which the Times published with few redactions -
are worthy of a close look, as they contain information beyond what the
reporters decided to put into the main story. For example, at
http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-aga
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 5, 2013, at 7:01 PM, Peter Gutmann wrote:
> "Perry E. Metzger" writes:
>
>> I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH
>> that you're thinking of?
>
> It's not just randomness, it's problems with DLP-based
"Perry E. Metzger" writes:
>I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH
>that you're thinking of?
It's not just randomness, it's problems with DLP-based crypto in general. For
example there's the scary tendency of DLP-based ops to leak the private key
(or at lea
On Fri, 06 Sep 2013 13:50:54 +1200 Peter Gutmann
wrote:
> "Perry E. Metzger" writes:
> Does that make them NSA plants? There's drafts for one or
> two more fairly basic fixes to significant problems from other
> people that get stalled forever, while the draft for adding sound
> effects to the T
"Perry E. Metzger" writes:
>At the very least, anyone whining at a standards meeting from now on that
>they don't want to implement a security fix because "it isn't important to
>the user experience" or adds minuscule delays to an initial connection or
>whatever should be viewed with enormous sus
On Thursday, September 5, 2013, Jerry Leichter wrote:
> [This drifts from the thread topic; feel free to attach a different
> subject line to it]
>
> On Sep 5, 2013, at 4:41 PM, Perry E. Metzger wrote:
> > 3) I would not be surprised if random number generator problems in a
> > variety of equipmen
"Perry E. Metzger" writes:
>I would like to open the floor to *informed speculation* about BULLRUN.
Not informed since I don't work for them, but a connect-the-dots:
1. ECDSA/ECDH (and DLP algorithms in general) are incredibly brittle unless
you get everything absolutely perfectly right.
2.
BULLRUN seems to be just an overarching name for several wide programs
to obtain plaintext of passively encrypted internet communications by
many different methods.
While there seem to be many non-cryptographic attacks included in the
BULLRUN program, of particular interest is the cryptographi
On Fri, 06 Sep 2013 12:13:48 +1200 Peter Gutmann
wrote:
> "Perry E. Metzger" writes:
>
> >I would like to open the floor to *informed speculation* about
> >BULLRUN.
>
> Not informed since I don't work for them, but a connect-the-dots:
>
> 1. ECDSA/ECDH (and DLP algorithms in general) are incre
On Sep 5, 2013, at 7:14 PM, John Kelsey wrote:
> My broader question is, how the hell did a sysadmin in Hawaii get hold of
> something that had to be super secret? He must have been stealing files from
> some very high ranking people.
This has bothered me from the beginning. Even the first le
[This drifts from the thread topic; feel free to attach a different subject
line to it]
On Sep 5, 2013, at 4:41 PM, Perry E. Metzger wrote:
> 3) I would not be surprised if random number generator problems in a
> variety of equipment and software were not a very obvious target,
> whether those pr
Hi all,
If you read the articles carefully, you'll note that at no point does the
NSA appear to have actually broken the *cryptography* in use. It's hard to
get concrete details from such vague writing and no access to the the
original documents, but it sounds like they've mostly gotten a lot of
Bruce Schneier explains the Dual_EC_DRBG attack:
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptogr
On Thu, 05 Sep 2013 16:43:59 -0400 "Bernie Cosell"
wrote:
> On 5 Sep 2013 at 16:11, Phillip Hallam-Baker wrote:
>
> > I would bet that there is more than enough DES traffic to be worth
> > attack
> > and probably quite a bit on IDEA as well. There is probably even
> > some 40 and 64 bit crypto i
On Thu, Sep 5, 2013 at 4:41 PM, Perry E. Metzger wrote:
> On Thu, 5 Sep 2013 15:58:04 -0400 "Perry E. Metzger"
> wrote:
> > I would like to open the floor to *informed speculation* about
> > BULLRUN.
>
> Here are a few guesses from me:
>
> 1) I would not be surprised if it turned out that some p
On Thu, 5 Sep 2013 15:58:04 -0400 "Perry E. Metzger"
wrote:
> I would like to open the floor to *informed speculation* about
> BULLRUN.
Here are a few guesses from me:
1) I would not be surprised if it turned out that some people working
for some vendors have made code and hardware changes at th
On Thu, Sep 5, 2013 at 3:58 PM, Perry E. Metzger wrote:
> I would like to open the floor to *informed speculation* about
> BULLRUN.
>
> Informed speculation means intelligent, technical ideas about what
> has been done. It does not mean wild conspiracy theories and the
> like. I will be instructi
On Thu, 5 Sep 2013 16:53:15 -0400 "Perry E. Metzger"
wrote:
> > Classified N.S.A. memos appear to confirm that the fatal
> > weakness, discovered by two Microsoft cryptographers in 2007, was
> > engineered by the agency. The N.S.A. wrote the standard and
> > aggressively pushed it on the internati
On Thu, 05 Sep 2013 13:33:48 -0700 Eric Murray wrote:
> The NYT article is pretty informative:
> (http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html)
[...]
> Also interesting:
>
> "Cryptographers have long suspected that the agency planted
> vulnerabilities in a standar
I would like to open the floor to *informed speculation* about
BULLRUN.
Informed speculation means intelligent, technical ideas about what
has been done. It does not mean wild conspiracy theories and the
like. I will be instructing the moderators (yes, I have help these
days) to ruthlessly prune i
On Thu, 5 Sep 2013 19:14:53 -0400 John Kelsey
wrote:
> First, I don't think it has anything to do with Dual EC DRGB. Who
> uses it?
It did *seem* to match the particular part of the story about a
subverted standard that was complained about by Microsoft
researchers. I would not claim that it is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
What surprises me is that anyone is surprised. If you believed
OpenBSD's Theo de Raadt and Gregory Perry back in late 2010, various
government agencies (in this specific case the FBI- though one wonders
if they were the originating agency) have been l
First, I don't think it has anything to do with Dual EC DRGB. Who uses it?
My impression is that most of the encryption that fits what's in the article is
TLS/SSL. That is what secures most encrypted content going online. The easy
way to compromise that in a passive attack is to compromise
The NYT article is pretty informative:
(http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html)
"Because strong encryption can be so effective, classified N.S.A.
documents make clear, the agency’s success depends on working with
Internet companies — by getting their volunt
On 09/05/2013 01:57 PM, Perry E. Metzger wrote:
and am not sure which international group is being mentioned.
ISO. Not that narrows it down much.
Eric
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listi
On 5 Sep 2013 at 16:11, Phillip Hallam-Baker wrote:
> I would bet that there is more than enough DES traffic to be worth
> attack
> and probably quite a bit on IDEA as well. There is probably even some 40
> and 64 bit crypto in use.
Indeed -- would you (or any of us) guess that NSA could break T
On Thu, Sep 5, 2013 at 4:57 PM, Perry E. Metzger wrote:
> On Thu, 5 Sep 2013 16:53:15 -0400 "Perry E. Metzger"
> wrote:
> > > Anyone recognize the standard?
> >
> > Please say it aloud. (I personally don't recognize the standard
> > offhand, but my memory is poor that way.)
>
> There is now some
OK how about this:
If a person at Snowden's level in the NSA had any access to information
that indicated the existence of any program which involved the successful
cryptanalysis of any cipher regarded as 'strong' by this community then the
Director of National Intelligence, the Director of the NS
95 matches
Mail list logo