On Sun, Jun 19, 2011 at 04:56:34PM +1200, Peter Gutmann wrote:
I know how to check the carry flag from inline asm, I just don't know what
the
rdrand encoding is. Here's the code I sent to the OP, I hadn't posted it yet
because I need to get someone with access to the appropriate hardware
Peter Gutmann wrote:
Marsh Ray ma...@extendedsubset.com writes:
So the Intel DRNG has observable shared internal state and is shared among
multiple cores.
The rule for security there is that if an attacker can get physical access to
the same CPU as you, you're toast via any number of
On Wed, Jun 15, 2011 at 04:22:55AM +0400, Solar Designer wrote:
3. Order of ExpandKey()s in the costly loop:
http://www.openwall.com/lists/crypt-dev/2011/04/29/1
BTW, this inconsistency is seen even in bcrypt.c in OpenBSD - source
code comment vs. actual code.
Then I released my bcrypt code
On Mon, Jun 20, 2011 at 12:11:38PM -0500, Marsh Ray wrote:
On 06/20/2011 09:59 AM, Solar Designer wrote:
On Wed, Jun 15, 2011 at 04:22:55AM +0400, Solar Designer wrote:
Yesterday, I was informed of a bug in
JtR, which also made its way into crypt_blowfish, and which made the
hashes
On 06/20/2011 12:55 PM, Solar Designer wrote:
Yes, one lesson is that such pieces of code need more testing. Maybe
fuzzing with random inputs, including binary data, comparing them
against other existing implementations.
There are certainly more bugs lurking where the complex rules of
On Mon, Jun 20, 2011 at 2:09 PM, Marsh Ray ma...@extendedsubset.com wrote:
There are certainly more bugs lurking where the complex rules of
international character data collide with password hashing. How does a
password login application work from a UTF-8 terminal (or web page) when the
host
Some responses to reactions to Kevin's post.
On 2011-06-18 19:32, Kevin Wall wrote:
First of all, I must say I apologize to Lev Novikov, as I promised to
do this several months ago, but unfortunately I had completely
forgotten about it. My bad. I hope, better late than never.
No worries.
On Mon, Jun 20, 2011 at 3:01 PM, Novikov, Lev lnovi...@mitre.org wrote:
On 2011-06-19 12:38, Peter Gutmann wrote:
Just one word really: Why?
There is an existing class of devices and environments (e.g., military
and diplomatic communications) which have particular requirements that
are hard
On 2011-06-21 3:11 AM, Marsh Ray wrote:
The best C developers might get the sign extension thing right 98% of
the time.
Unless it really is human readable text, cast it to BYTE
If it really is human readable text, use a string library, preferably a
sixteen bit unicode library.
On 2011-06-21 6:34 AM, Nico Williams wrote:
The GSS-API has been growing extensions to deal with these situations
by exposing more information to the application. There's also some
extensions by which to specify policies/profiles to apply.
Creating a whole *new* API to layer above the GSS-API
On Mon, Jun 20, 2011 at 8:47 PM, James A. Donald jam...@echeque.com wrote:
On 2011-06-21 6:34 AM, Nico Williams wrote:
The GSS-API has been growing extensions to deal with these situations
by exposing more information to the application. There's also some
extensions by which to specify
Jeffrey Walton noloa...@gmail.com writes:
The 'details' mentioned above is at http://www.schneier.com/blowfish-bug.txt,
and here's the crux of Morgan's report:
[bfinit] chokes whenever the most significant bit
of key[j] is a '1'. For example, if key[j]=3D0x80,
key[j], a signed char,
12 matches
Mail list logo