The system is vulnerable to a simple chosen plaintext attack as soon as you
extract a workable scheme from the vague description in the paper (see appendix
A for the closest thing to an actual specification of an encryption scheme).
It should be an embarrassment to both Phys Rev X and the Unive
Peter,
(Full disclosure: I was one of the external reviewers of this report.)
I take your point that there is a gap between cryptography and security
engineering, and I understand the gap well from first-hand experience,
first from my time in industry and more recently as a consultant to
industry
us trouble. Indeed,
there's even a cryptographic principle - key separation - which says "use
different keys for different functions".
Regards
Kenny
On 20/09/2013 19:35, "Dominik Schürmann"
wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>
>On
Hi
On 20/09/2013 16:07, "Alan Braggins" wrote:
>On 20/09/13 13:22, Dominik Schürmann wrote:
>> I am wondering if it is okay to use the same asymmetric ECC key for
>> ECDSA and ECIES. Given that the signing and encryption algorithms are
>> not related like in RSA, I assume it is okay to use the
On 10 Mar 2013, at 11:01, Ben Laurie wrote:
> On 10 March 2013 10:58, Paterson, Kenny wrote:
>>
>>
>> Right here: http://www.w3.org/TR/WebCryptoAPI:
>
> Somehow missed that. Thanks.
>
>> 19.1. Recommended algorithms
>>
>> This section i
On 10 Mar 2013, at 10:51, Ben Laurie wrote:
On 10 March 2013 01:25, Tony Arcieri
mailto:tony.arci...@gmail.com>> wrote:
On Sat, Mar 9, 2013 at 4:16 PM, Jeffrey Walton
mailto:noloa...@gmail.com>> wrote:
The Web Cryptography Working Group looks well organized, provides a
very good roadmap, and o
Jeff,
>>
>> There have been attacks on SSH based on the fact that portions of the packets
>> aren't authenticated, and as soon as the TLS folks stop bikeshedding and
>> adopt
>> encrypt-then-MAC I'm going to propose the same thing for SSH, it's such a
>> no-brainer it should have been adopted ye
Hi Peter,
On 11 Feb 2013, at 22:45, Peter Gutmann wrote:
> Ralph Holz writes:
>
>> From what I can tell from our data, the most common symmetric ciphers in SSH
>> are proposed by client/servers to be used in CBC mode. With SSL/TLS and
>> XMLEnc, this mode has had quite some publicity in the r
Hi Ralph,
CBC mode is indeed a bad choice for SSH, but for other reasons than
the recent artacks on TLS. The paper you mention was published as:
Albrecht, Paterson, Watson, Plaintext recovery attacks on SSH. IEEE
Symposium on Security and Privacy, 2009
and explains why.
CTR mode in SSH see
