Re: entropy depletion (was: SSL/TLS passive sniffing)

2005-01-09 Thread Ian G
William Allen Simpson wrote: There are already other worthy comments in the thread(s). This is a great post. One can't stress enough that programmers need programming guidance, not arcane information theoretic concepts. We are using computational devices, and therefore computational

Re: entropy depletion (was: SSL/TLS passive sniffing)

2005-01-09 Thread Taral
On Sat, Jan 08, 2005 at 10:46:17AM +0800, Enzo Michelangeli wrote: But that was precisely my initial position: that the insight on the internal state (which I saw, by definition, as the loss of entropy by the generator) that we gain from one bit of output is much smaller than one full bit. I

Re: entropy depletion (was: SSL/TLS passive sniffing)

2005-01-08 Thread Enzo Michelangeli
- Original Message - From: [EMAIL PROTECTED] To: cryptography@metzdowd.com Sent: Friday, January 07, 2005 9:30 AM Subject: Re: entropy depletion (was: SSL/TLS passive sniffing) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Enzo Michelangeli Sent: Tuesday, January

Re: entropy depletion (was: SSL/TLS passive sniffing)

2005-01-07 Thread Michael_Heyman
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Enzo Michelangeli Sent: Tuesday, January 04, 2005 7:50 PM This entropy depletion issue keeps coming up every now and then, but I still don't understand how it is supposed to happen. If the PRNG uses a really non-invertible

Re: entropy depletion (was: SSL/TLS passive sniffing)

2005-01-07 Thread Taral
On Thu, Jan 06, 2005 at 04:35:05PM +0800, Enzo Michelangeli wrote: By how much exactly? I'd say, _under the hypothesis that the one-way function can't be broken and other attacks fail_, exactly zero; in the real world, maybe a little more. Unfortunately for your analysis, *entropy* assumes

Re: entropy depletion (was: SSL/TLS passive sniffing)

2005-01-07 Thread Jerrold Leichter
| You're letting your intuition about usable randomness run roughshod | over the formal definition of entropy. Taking bits out of the PRNG | *does* reduce its entropy. | | By how much exactly? I'd say, _under the hypothesis that the one-way | function can't be broken and other attacks fail_,

Re: entropy depletion (was: SSL/TLS passive sniffing)

2005-01-07 Thread John Kelsey
From: John Denker [EMAIL PROTECTED] Sent: Jan 5, 2005 2:06 PM To: Enzo Michelangeli [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: entropy depletion (was: SSL/TLS passive sniffing) ... You're letting your intuition about usable randomness run roughshod over the formal definition

Re: entropy depletion (was: SSL/TLS passive sniffing)

2005-01-06 Thread Enzo Michelangeli
- Original Message - From: John Denker [EMAIL PROTECTED] Sent: Thursday, January 06, 2005 3:06 AM Enzo Michelangeli wrote: [...] If the PRNG uses a really non-invertible algorithm (or one invertible only with intractable complexity), its output gives no insight whatsoever on

Re: SSL/TLS passive sniffing

2005-01-06 Thread Werner Koch
On Wed, 5 Jan 2005 08:49:36 +0800, Enzo Michelangeli said: That's basically what /dev/urandom does, no? (Except that it has the undesirable side-effect of depleting the entropy estimate maintained inside the kernel.) This entropy depletion issue keeps coming up every now and then, but I

Re: SSL/TLS passive sniffing

2005-01-04 Thread John Denker
I wrote: If the problem is a shortage of random bits, get more random bits! Florian Weimer responded: We are talking about a stream of several kilobits per second on a busy server (with suitable mailing lists, of course). This is impossible to obtain without special hardware. Not very special, as

SSL/TLS passive sniffing

2005-01-04 Thread David Wagner
Florian Weimer [EMAIL PROTECTED] writes: I'm slightly troubled by claims such as this one: http://lists.debian.org/debian-devel/2004/12/msg01950.html [which says: If you're going to use /dev/urandom then you might as well just not encrypt the session at all.] That claim is totally bogus,

Re: SSL/TLS passive sniffing

2005-01-04 Thread Greg Rose
At 22:51 2004-12-22 +0100, Florian Weimer wrote: * John Denker: Florian Weimer wrote: Would you recommend to switch to /dev/urandom (which doesn't block if the entropy estimate for the in-kernel pool reaches 0), and stick to generating new DH parameters for each connection, No, I wouldn't.

Re: SSL/TLS passive sniffing

2004-12-22 Thread Florian Weimer
* Victor Duchovni: The third mode is quite common for STARTTLS with SMTP if I am not mistaken. A one day sample of inbound TLS email has the following cipher frequencies: 8221(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) 6529(using TLSv1 with cipher

Re: SSL/TLS passive sniffing

2004-12-22 Thread John Denker
Florian Weimer wrote: Would you recommend to switch to /dev/urandom (which doesn't block if the entropy estimate for the in-kernel pool reaches 0), and stick to generating new DH parameters for each connection, No, I wouldn't. or ... generate them once per day and use it for several connections?

Re: SSL/TLS passive sniffing

2004-12-22 Thread Victor Duchovni
On Sun, Dec 19, 2004 at 05:24:59PM +0100, Florian Weimer wrote: * Victor Duchovni: The third mode is quite common for STARTTLS with SMTP if I am not mistaken. A one day sample of inbound TLS email has the following cipher frequencies: 8221(using TLSv1 with cipher

Re: SSL/TLS passive sniffing

2004-12-22 Thread Florian Weimer
* Victor Duchovni: The Debian folks have recently stumbled upon a problem in this area: Generating the ephemeral DH parameters is expensive, in terms of CPU cycles, but especailly in PRNG entropy. The PRNG part means that it's not possible to use /dev/random on Linux, at least on servers.

Re: SSL/TLS passive sniffing

2004-12-05 Thread Dirk-Willem van Gulik
On Wed, 1 Dec 2004, Anne Lynn Wheeler wrote: the other attack is on the certification authorities business process Note that in a fair number of Certificate issuing processes common in industry the CA (sysadmin) generates both the private key -and- certificate, signs it and then exports both

RE: SSL/TLS passive sniffing

2004-12-05 Thread Anton Stiglic
This sounds very confused. Certs are public. How would knowing a copy of the server cert help me to decrypt SSL traffic that I have intercepted? I found allot of people mistakenly use the term certificate to mean something like a pkcs12 file containing public key certificate and private key.

Re: SSL/TLS passive sniffing

2004-12-05 Thread Anne Lynn Wheeler
Anton Stiglic wrote: I found allot of people mistakenly use the term certificate to mean something like a pkcs12 file containing public key certificate and private key. Maybe if comes from crypto software sales people that oversimplify or don't really understand the technology. I don't know, but

RE: SSL/TLS passive sniffing

2004-12-01 Thread Ben Nagy
OK, Ian and I are, rightly or wrongly, on the same page here. Obviously my choice of the word certificate has caused confusion. [David Wagner] This sounds very confused. Certs are public. How would knowing a copy of the server cert help me to decrypt SSL traffic that I have intercepted?

RE: SSL/TLS passive sniffing

2004-12-01 Thread ben
-Original Message- From: Eric Rescorla [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 7:01 AM To: [EMAIL PROTECTED] Cc: Ben Nagy; [EMAIL PROTECTED] Subject: Re: SSL/TLS passive sniffing Ian Grigg [EMAIL PROTECTED] writes: [...] However could one do a Diffie

Re: SSL/TLS passive sniffing

2004-12-01 Thread Eric Rescorla
[EMAIL PROTECTED] writes: -Original Message- From: Eric Rescorla [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 7:01 AM To: [EMAIL PROTECTED] Cc: Ben Nagy; [EMAIL PROTECTED] Subject: Re: SSL/TLS passive sniffing Ian Grigg [EMAIL PROTECTED] writes: [...] However

SSL/TLS passive sniffing

2004-11-30 Thread Ben Nagy
Hi all, I'm a bumbling crypto enthusiast as a sideline to my other, real, areas of security expertise. Recently a discussion came up on firewall-wizards about passively sniffing SSL traffic by a third party, using a copy of the server cert (for, eg, IDS purposes). There was some question about

Re: SSL/TLS passive sniffing

2004-11-30 Thread Ian Grigg
Ben raises an interesting thought: There was some question about whether this is possible for connections that use client-certs, since it looks to me from the spec that those connections should be using one of the Diffie Hellman cipher suites, which is obviously not vulnerable to a passive

SSL/TLS passive sniffing

2004-11-30 Thread David Wagner
Ian Grigg writes: I note that disctinction well! Certificate based systems are totally vulnerable to a passive sniffing attack if the attacker can get the key. Whereas Diffie Hellman is not, on the face of it. Very curious... No, that is not accurate. Diffie-Hellman is also insecure if the

Re: SSL/TLS passive sniffing

2004-11-30 Thread Ian Grigg
Ian Grigg writes: I note that disctinction well! Certificate based systems are totally vulnerable to a passive sniffing attack if the attacker can get the key. Whereas Diffie Hellman is not, on the face of it. Very curious... No, that is not accurate. Diffie-Hellman is also insecure if the