Re: [cryptography] [FORGED] Re: Kernel space vs userspace RNG

The Doctor writes: >I was getting roughly twice that - 15-30 counts per minute. The hardware was >set up for alpha and beta particles, so it got a decent amount of background >radiation. The counter you linked to looked like it was using a cheap M4011 tube (Chinese

Re: [cryptography] [FORGED] Re: Kernel space vs userspace RNG

The Doctor writes: >It took me an afternoon to write some Python to measure the times in between >particles hitting the tube, hash them, and cat them into /dev/urandom. Problem is that in a standard environment you're getting very little input, maybe 10-15 counts per minute.

Re: [cryptography] [FORGED] Google tears Symantec a new one over rogue SSL certs

Jeffrey Walton writes: >Google has read the riot act to Symantec, scolding the security biz for its >slapdash handling of highly sensitive SSL certificates. Hardly. It's just TB2F business as usual. If you read the original article: >Symantec performed another audit and,

Re: [cryptography] NSA Apple DPA Cryptanalysis

On a related topic, I love the fact that they not only have a Trusted Computing Jamboree, a celebration of subverting TCG technology, but that this is the seventh annual one... Peter. ___ cryptography mailing list cryptography@randombit.net

Re: [cryptography] NSA Apple DPA Cryptanalysis

ianG i...@iang.org writes: We will also describe and present results for an entirely new unpublished attack against a Chinese Remainder Theorem (CRT) implementation of RSA that will yield private key information in a single trace. An actual cryptography breach! Outstanding if true... No, just

Re: [cryptography] Cryptanalysis of RADIUS MD5 cipher?

Thor Lancelot Simon t...@panix.com writes: For at least 15 years there's been general grumbling that the MD5 based stream cipher used for confidentiality in RADIUS looks like snake oil. It's not snake oil, the MD5-based masking was created because it was exportable. Proper crypto like DES

Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

Naveen Nathan nav...@lastninja.net writes: [Quoting someone else] As I see it from that paper the advantages of a key-wrap scheme over using a generic AEAD scheme is that (a) it may be lighter weight in computation and size of ciphertext (b) Defends against “IV misuse”. (c) RFC 3394 has

Re: [cryptography] Underhanded Crypto

ianG i...@iang.org writes: Seems like we'll find out tho, as Peter and Bear are willing to give it a shot. It's not really giving it a shot in my case, it's taking crypto implementation mistakes so old that people have forgotten about them and adding them to recent code. All you need to do in

Re: [cryptography] Underhanded Crypto

ianG i...@iang.org quotes: Can you design an encrypted chat protocol that looks secure to everyone who reviews it, but in reality lets anyone who knows some fixed key decrypt the messages? Since some of the organisers read this list and this question may be relevant for other contributors as

Re: [cryptography] Email encryption for the wider public

stef s...@ctrlc.hu writes: let me summarize (and ask you to reread and understand) grapamps response to you: email is dead. ... he said, via email. Peter. ___ cryptography mailing list cryptography@randombit.net

Re: [cryptography] Request - PKI/CA History Lesson

Jason Iannone jason.iann...@gmail.com writes: With that, I ask for a history lesson to more fully understand the PKI's genesis and how we got here. http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf, chapter PKI. Peter. ___ cryptography mailing list

Re: [cryptography] 2010 TAO QUANTUMINSERT trial against 300 (hard) targets

Greg Rose g...@seer-grog.net writes: You get the routers to create valid-looking certificates for the endpoints, to mount man-in-the-middle attacks. This is relatively easy for home routers, since the self-signed certs they're configured with are frequently CA certs. In other words they ship

Re: [cryptography] [Ach] Better Crypto

L. Aaron Kaplan kap...@cert.at writes: So, Peter, how about this approach? Sorry about the delayed reply, too much other stuff on my plate at the moment... 1. We will have three config options: cipher String A,B,C ( generic safe config, maximum interoperability (== this also makes the mozilla

Re: [cryptography] SafeCurves evaluation of secp256k1 - side channels

=?iso-8859-15?Q?Kriszti=E1n_Pint=E9r?= pinte...@gmail.com writes: you can make RSA safer adding more cycles and more code. or you can implement it without blinding, and call it a day. it is inconceivable that nobody ever will choose the latter strategy. I've mentioned this one before, but some

Re: [cryptography] [Ach] Better Crypto

L. Aaron Kaplan kap...@cert.at writes: As a general observation, it also promotes the thinking that all we need to do is choose magic algorithm A instead of magic algorithm B and everything is fixed. No, if we created that impression then we failed. The problem is that as you read through

Re: [cryptography] Better Crypto

ianG i...@iang.org writes: Not sure if it has been mentioned here. The Better Crypto group at bettercrypto.org have written a (draft) paper for many of those likely configurations for net tools. The PDF is here: https://bettercrypto.org/static/applied-crypto-hardening.pdf If you're a busy

Re: [cryptography] European report says many crypto protocols have problems

Sandy Harris sandyinch...@gmail.com writes: Cited in a comment on Schneier's blog: https://www.schneier.com/blog/archives/2013/10/nsa_eavesdroppi_2.html Register article with link to actual report: http://www.theregister.co.uk/2013/10/31/most_security_protocols_insecure_suggests_enisa/ The

Re: [cryptography] Curve25519 OID (was: Re: the spell is broken)

Jeffrey Walton noloa...@gmail.com writes: For completeness, Crypto++ has a factory-like method that serves curves. The curves are sorted by OID in the function, so Crypto++ would need an OID for ed25519. { 1 3 6 1 4 1 3029 1 5 1 } ed209^H^H5519 You have been OIDed. Go forth and encrypt.

Re: [cryptography] Daniel the King. Jon the President. Linus the God?

d...@geer.org quotes: We reject: kings, presidents and voting. We believe in: rough consensus and running code. -- David Clark Well that was certainly an elegant concept for a more civilized age, but it's been: We used to reject: kings, presidents and voting. We

Re: [cryptography] the spell is broken

Jon Callas j...@callas.org writes: In Silent Text, we went far more to the one true ciphersuite philosophy. I think that Iang's writings on that are brilliant. Absolutely. The one downside is that you then need to decide what the OTS is going to be. For example Mozilla (at least via Firefox)

Re: [cryptography] the spell is broken

James A. Donald jam...@echeque.com writes: By moving away from anything NIST has touched he deprives the NSA of leverage to insert backdoors, Just as a bit of a counterpoint here, how far do you want to go down this rathole? Someone recently pointed me to the latest CERT vuln. summary (because

Re: [cryptography] Opinions on Internet Privacy

Paul Bakker p.j.bak...@offspark.com writes: So you agree we DO need an additional layer of symmetric and public key encryption, don't you? Six layers might not be enough!! Oh everyone knows that, if it doesn't have the full seven layers then you're not even trying. Peter.

Re: [cryptography] The Compromised Internet

Tony Arcieri basc...@gmail.com writes: What threat are you trying to prevent that isn't already solved by the use of cryptography alone? The threat of people saying we'll just throw some cryptography at it and then all our problems will be solved. Peter.

Re: [cryptography] forward-secrecy =2048-bit in legacy browser/servers? (Re: [Cryptography] RSA equivalent key length/strength)

Adam Back a...@cypherspace.org writes: Is there a possibility with RSA-RSA ciphersuite to have a certified RSA signing key, but that key is used to sign an RS key negotiation? Yes, but not in the way you want. This is what the 1990s-vintage RSA export ciphersuites did, but they were designed so

Re: [cryptography] Deleting data on a flash?

Adam Back a...@cypherspace.org writes: Apparently or so I've heard claim SSDs also offer lower level APIs to actually wipe physical (not logically wear-level mapped) cells, to reliably wipe working cells. Anyone know about those? They could be used where available and to the extent they are

Re: [cryptography] [Cryptography] RSA equivalent key length/strength

ianG i...@iang.org writes: One mystery is left for me. Why so much? It clearly doesn't cost that much money to implement the DRBG, or if it did, I would have done it for $5m, honest injun! Nor would it cost that to test it nor to deploy it on mass. Documentation, etc. You're assuming that

Re: [cryptography] urandom vs random

Just appeared on the GnuPG list: NeuG 0.11 was released. NeuG is an implementation of True Random Number Generator based on quantization error of ADC of STM32F103. It is basically intended to be used as a part of Gnuk, but we also have standalone USB CDC-ACM version (you can get random stream

Re: [cryptography] urandom vs random

ianG i...@iang.org writes: On a related point, what name do we give to the design/pattern for entropy sources == mix/pool == deterministic expansion function ? The standard way to do things? Or a standard CSPRNG (continually seeded PRNG). Peter.

Re: [cryptography] urandom vs random

shawn wilson ag4ve...@gmail.com writes: It's not like they're the only ones that sell these, but they /were/ the only ones to sell USB PRNG at $800. You can get them for as little as $50 in the form of USB-key media players running Android. Or if you really insist on doing the whole thing

Re: [cryptography] urandom vs random

Sandy Harris sandyinch...@gmail.com writes: A sound device is available on many server boards and often unused, or you can add one in a slot or USB on others, A friend of mine looked at this a while back using the pretty simple technique of drawing a scatter plot from the samples. The output of

Re: [cryptography] urandom vs random

yersinia yersinia.spi...@gmail.com writes: To illustrated this, Peter displayed a photograph of three icosahedral says That He'd thrown at home, saying here, if you need a random number, you can use 846. And there's the problem, he used a D20 so there's a bias in the results. If he'd used a

[cryptography] Paypal phish using EV certificate

I recently got a another of the standard phishing emails for Paypal, directing me to https://email-edg.paypal.com, which redirects to https://view.paypal-communication.com, which has a PayPal EV certificate from Verisign. According to this post

Re: [cryptography] Paypal phish using EV certificate

Erwann Abalea eaba...@gmail.com writes: Looks like paypal-communication.com is a legit domain owned by Paypal, Inc. Even though, according to the second article I referenced, Paypal said it was a phishing site and said they'd take it down? Peter. ___

Re: [cryptography] evidence for threat modelling -- street-sold hardware has been compromised

Marcus Brinkmann marcus.brinkm...@ruhr-uni-bochum.de writes: If you trust anonymous leaks to the Financial Review by members of your favourite spying agency network, then I guess its evidence. More importantly, look at the dates: The ban was introduced in the mid-2000s after intensive

Re: [cryptography] [liberationtech] Random number generator failure in Rasperri Pis?

Eugen Leitl eu...@leitl.org quotes: Just came accross this article, apparently showing the bad quality of the hardware RNG in Raspberri Pi devices. http://scruss.com/blog/2013/06/07/well-that-was-unexpected-the-raspberry-pis-hardware-random-number-generator/ That shows the bad quality of RANDU.

Re: [cryptography] [liberationtech] Heml.is - The Beautiful Secure Messenger

William Yager will.ya...@gmail.com writes: no cryptographer ever got hurt by being too paranoid, and not trusting your hardware is a great place to start. And while you're lying awake at night worrying whether the Men in Black have backdoored the CPU in your laptop, you're missing the fact that

Re: [cryptography] [liberationtech] Heml.is - The Beautiful Secure Messenger

Noon Silk noonsli...@gmail.com writes: A good point, of course. So what should everyone do? Look for things, and fix things, in order of likelihood of occurrence and exploitability. (Strong) Crypto is bypassed, not penetrated, so address that first. Once you've addressed all of those issues,

Re: [cryptography] [liberationtech] Heml.is - The Beautiful Secure Messenger

William Yager will.ya...@gmail.com writes: It's nice that you can be so cavalier about this, but if your system's RNG is fundamentally broken, it doesn't really matter so much whether your other stuff is well-programmed or not. Well I'm not sure what thread you're coming in from, but the

Re: [cryptography] [liberationtech] Heml.is - The Beautiful Secure Messenger

Ben Laurie b...@links.org writes: But what's the argument for _not_ mixing their probably-not-backdoored RNG with other entropy? Oh, no argument from me on that one, mix every entropy source you can get your hands on into your PRNG, including less-than-perfect ones, the more redundancy there is

Re: [cryptography] [liberationtech] Heml.is - The Beautiful Secure Messenger

Nico Williams n...@cryptonector.com writes: I'd like to understand what attacks NSA and friends could mount, with Intel's witting or unwitting cooperation, particularly what attacks that *wouldn't* put civilian (and military!) infrastructure at risk should details of a backdoor leak to the

Re: [cryptography] DeCryptocat

Nadim Kobeissi na...@nadim.cc writes: AES-GCM is already prioritized over RC4, but unfortunately most browsers don't support AES-GCM yet, which is why RC4 remains as the secondary choice. In the case that AES-GCM is not supported, we use RC4 instead of AES-CBC in order to mitigate for BEAST. If

Re: [cryptography] Snowden: Fabricating Digital Keys?

Bill Scannell b...@scannell.org writes: Last week NSA Director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to access files inside the NSA by fabricating digital keys that gave him access to areas he was not allowed to visit as a low-level

Re: [cryptography] Biggest Fake Conference in Computer Science

jimsimps...@hushmail.com writes: We are researchers from different parts of the world and conducted a study on the worldâs biggest bogus computer science conference WORLDCOMP ( http://sites.google.com/site/worlddump1 ) organized by Prof. Hamid Arabnia from University of Georgia, USA. ... and the

Re: [cryptography] ICIJ's project - comment on cryptography tools

ianG i...@iang.org writes: An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, it is impossible to intercept iMessages between two Apple devices even with a court order approved by a

Re: [cryptography] Key Checksums (BATON, et al)

Ethan Heilman eth...@gmail.com writes: Do I understand you correctly. The checksum is calculated using a key or the checksum algorithm is secret so that they can't generate checksums for new keys? Are they using a one-way function? Do you have any documentation about this? Like the algorithms

Re: [cryptography] Key Checksums (BATON, et al)

Jeffrey Walton noloa...@gmail.com writes: What is the reason for checksumming symmetric keys in ciphers like BATON? Are symmetric keys distributed with the checksum acting as a authentication tag? Are symmetric keys pre-tested for resilience against, for example, chosen ciphertext and related

Re: [cryptography] Apple Keychain (was Keyspace: client-side encryption for key/value stores)

Paul Walker p...@blacksun.org.uk writes: I'm curious which bits you feel Apple got right with the Keychain - not because I disbelieve you, but because I don't know. :-) Have you got any links or documents, either for what they did right or for what the others do wrong? Link sent off-list.

Re: [cryptography] Keyspace: client-side encryption for key/value stores

Thierry Moreau thierry.mor...@connotech.com writes: Client-side storage of long-term secrets can only be secured by dedicated client-side hardware. Your mileage may vary. In a perfect world, yes. However having an OS-provided, standardised mechanism that gets things mostly right (Apple Keyring)

Re: [cryptography] Keyspace: client-side encryption for key/value stores

Jeffrey Walton noloa...@gmail.com writes: Android 4.0 and above also offer a Keychain ( http://developer.android.com/reference/android/security/KeyChain.html). If using a lesser version, use a Keystore ( http://developer.android.com/reference/java/security/KeyStore.html). What Android gives you

Re: [cryptography] Client TLS Certificates - why not?

str...@riseup.net writes: Can anyone enlighten me why client TLS certificates are used so rarely? It used to be a hassle in the past They're still a huge pain to work with, and probably always will be. If you don't believe me, go to your mother, sit her in front of a computer, sit behind her

[cryptography] Is it just me or is this fundamentally broken?

Quoting http://xmpp.org/extensions/xep-0027.html#signing: Signing enables a sender to verify that they sent a certain block of text. [...] The text that is signed MAY be the empty string. (There's no metadata or anything there, just a raw signature). Peter.

Re: [cryptography] Is it just me or is this fundamentally broken?

Peter Saint-Andre stpe...@stpeter.im writes: No one uses XEP-0027 these days, they all use OTR. The PGP integration with XMPP clients was an early experiment in the Jabber community before we even called it XMPP. Think 13+ years ago. But clients never signed empty strings, although we never fixed

[cryptography] Interesting Webcrypto question

Say you've implemented a bunch of crypto on your web page via Javascript. Someone in North Korea (or Iran, or one of the other export-restricted nations) visits your site. You've now exported crypto to a restricted country. What happens next? Peter.

Re: [cryptography] Interesting Webcrypto question

Paul Hoffman paul.hoff...@vpnc.org writes: You've now exported crypto to a restricted country. What happens next? You ask a lawyer or a legislator, not a bunch of amateurs in the subject? Have you tried asking a lawyer or legislator? Would you say the look you got in response was more

Re: [cryptography] Which CA sells the most malware-signing certs?

I wrote: Jon Callas j...@callas.org writes: As Andy Steingruebl pointed out, there are a lot of malware certs that are stolen, so this data needs to be normalized against market share. Ah, good point. There are some in there that were explicitly sold by CAs to malware authors, e.g. the BUSTER

Re: [cryptography] Q: CBC in SSH

Bodo Moeller bmoel...@acm.org writes: If you wonder why NSS would prefer Camellia over AES (I sure did), here's the rationale. (Not a very good one, in my opinion -- if servers in certain countries are expected to have a strong preference for certain ciphersuites, those servers should override

[cryptography] Which CA sells the most malware-signing certs?

I've just done a quick tally of the certs posted to http://www.ccssforum.org/malware-certificates.php, a.k.a. Digital Certificates Used by Malware. Looks like Verisign (and its sub-brand Thawte) are the malware-authors' CA of choice, selling more certs used to sign malware than all other CAs

Re: [cryptography] Which CA sells the most malware-signing certs?

Jon Callas j...@callas.org writes: As Andy Steingruebl pointed out, there are a lot of malware certs that are stolen, so this data needs to be normalized against market share. Ah, good point. There are some in there that were explicitly sold by CAs to malware authors, e.g. the BUSTER

Re: [cryptography] Q: CBC in SSH

I wrote: Those are some pretty odd stats... Camellia is almost as popular as 3DES? To which Yaron Sheffer pointed me to: http://stackoverflow.com/questions/10378066/which-algorithm-is-stronger-for-tls-aes-256-or-camellia-256 which says: The reasoning is contained in the NSS library source

Re: [cryptography] Q: CBC in SSH

Nico Williams n...@cryptonector.com writes: SSHv2 has a this approach and it has not been a disaster there. It's still quite a mess. To compare the two, my TLS suite-choosing code is more or less: highestSuite = 0; foreach suite suite = readInteger(); if priority( suite )

Re: [cryptography] Q: CBC in SSH

Nico Williams n...@cryptonector.com writes: If we want a policy of limiting what cipher suites we allocate codepoints to then we should have an *explicit* policy, and we should not wimp out when it comes time to enforcing it. It'll never work, people will clamour for their pet vanity ciphers no

Re: [cryptography] Q: CBC in SSH

Paterson, Kenny kenny.pater...@rhul.ac.uk writes: In fact, SSHv2 adopts a Encrypt MAC construction and all fields in SSHv2 are authenticated. But the issue is that this authentication cannot be checked until the whole message has arrived, and the receiver has to use a field in the plaintext to

Re: [cryptography] Q: CBC in SSH

Ralph Holz h...@net.in.tum.de writes: From what I can tell from our data, the most common symmetric ciphers in SSH are proposed by client/servers to be used in CBC mode. With SSL/TLS and XMLEnc, this mode has had quite some publicity in the recent past. There have been attacks on SSH based on

Re: [cryptography] Q: CBC in SSH

Nico Williams n...@cryptonector.com writes: On Mon, Feb 11, 2013 at 4:45 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: There have been attacks on SSH based on the fact that portions of the packets aren't authenticated, and as soon as the TLS folks stop bikeshedding and adopt encrypt

Re: [cryptography] Q: CBC in SSH

Jeffrey Walton noloa...@gmail.com writes: I know its nothing new here. I'm just befuddled why standardized protocols written in stone by bright folks (IETF, IEEE, et al) continue to suffer defects that I don't make/endure (because I listen to cryptographers like you). Well, I'm not really a

Re: [cryptography] Q: CBC in SSH

Nico Williams n...@cryptonector.com writes: I'd go further: this could be the start of the end of the cipher suite cartesian product nonsense in TLS. Just negotiate {cipher, mode} and key exchange separately, or possibly cipher, mode, and key exchange, in just the same way as you propose

Re: [cryptography] OAEP for RSA signatures?

Thierry Moreau thierry.mor...@connotech.com writes: The Bleichenbacher attack adaptation to OAEP is non-existent today and would be an even more significant academic result. I must assume that Bleichenbacher would have published results in this direction if his research would have given those.

Re: [cryptography] OAEP for RSA signatures?

Ryan Sleevi ryan+cryptogra...@sleevi.com writes: Did you just suggest that the timing channels in PKCS#1 v1.5 are easier to get right than the timing channels of OAEP? Yup. The same PKCS#1 v1.5 encryption that's confounding people a decade [1] after the original attacks [2]? You're confusing

Re: [cryptography] OAEP for RSA signatures?

ianG i...@iang.org writes: Could OAEP be considered reasonable for signatures? You need to define appropriate. For example if you mean interoperable then OAEP isn't even appropriate for encryption, let alone signatures. If you're worried about timing channels then OAEP is also pretty

[cryptography] History of Ethiopian pottery in 4000 BC

John Levine jo...@iecc.com writes: I'd like a list where people ensured that the subject lines of their messages described what the message was about, so I can easily skip the ones that aren't of interest. Then I don't much care whether the discussion wanders afield of what I want to read.

Re: [cryptography] yet another certificate MITM attack

Jon Callas j...@callas.org writes: Others have said pretty much the same in this thread; this isn't an MITM attack, it's a proxy browsing service. Exactly. Cellular providers have been doing this for ages, it's hardly news. (Well, OK, given how surprised people seem to be, perhaps it should

Re: [cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)

Ben Laurie b...@links.org writes: On Sat, Jan 5, 2013 at 1:26 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: In the light of yet another in an apparently neverending string of CA failures, how long are browser vendors going to keep perpetuating this PKI farce? [0]. Not only

Re: [cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)

Ben Laurie b...@links.org with: a) I don't believe your figures, Well I don't believe in the tooth fairy, but in this case you're going to have to provide a more convincing rebuttal than I choose not to believe in this inconvenient information. I suspect you don't understand CT - perhaps you'd

[cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)

In the light of yet another in an apparently neverending string of CA failures, how long are browser vendors going to keep perpetuating this PKI farce? [0]. Not only is there no recorded instance, anytime, anywhere, of a browser certificate warning actually protecting users from harm [1], but the

Re: [cryptography] How much does it cost to start a root CA ?

John Case c...@sdf.org writes: So what does it cost to start a root CA, get properly audited (as I see the root CAs are) and get yourself included into, say, firefox or chrome ? The rule of thumb I've seen from various inside sources is about $1M [0]. Obviously this can vary quite a lot based on

Re: [cryptography] Adobe confirms customer data breach

Jeffrey Walton noloa...@gmail.com writes: I'm trying to figure out why folks like Adobe (who know better and have the resources) are still using unsalted MD5. It's Adobe, you don't even need to go after their passwords, just convince an employee there to click on a PDF attachment or view a Flash

[cryptography] Why using asymmetric crypto like symmetric crypto isn't secure

In the past there have been a few proposals to use asymmetric cryptosystems, typically RSA, like symmetric ones by keeping the public key secret, the idea behind this being that if the public key isn't known then there isn't anything for an attacker to factor or otherwise attack. Turns out that

Re: [cryptography] Why using asymmetric crypto like symmetric crypto isn't secure

Jon Callas j...@callas.org writes: Which immediately prompts the question of what if it's long or secret? [1] This attack doesn't work on that. The asymmetric-as-symmetric was proposed about a decade ago as a means of protecting against new factorisation attacks, and was deployed as a commercial

Re: [cryptography] Application Layer Encryption Protocols Tuned for Cellular?

Jeffrey Walton noloa...@gmail.com writes: Is anyone aware of of application layer encryption protocols with session management tuned for use on cellular networks? [...] From that description your problem isn't at the encryption-protocol level at all, you need a reliable transport mechanism for

Re: [cryptography] Just how bad is OpenSSL ?

Ben Laurie b...@links.org writes: On Tue, Oct 30, 2012 at 11:17 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Ben Laurie b...@links.org writes: Apparently you think the best way to get a secure platform is to apply pressure through pointless security standards. I think that's a bit

Re: [cryptography] DKIM: Who cares?

John Levine jo...@iecc.com writes: Hmmn. Is there some point to speculating about the behavior of mail systems about which you know nothing? Absolutely. We have a system design to perform a certain function (and, unfortunately, mis-marketed as being a solution to a rather different problem,

Re: [cryptography] DKIM makes Wired

Dave Crocker dcroc...@bbiw.net writes: In summary, it turns out that what seems like half the world's DKIM users are using toy keys as short as 384 bits. Since neither Wired nor CERT cited anyone's using 384-bit DKIM keys, I don't know where this assertion comes from. Harris found three

Re: [cryptography] DKIM: Who cares?

Zack Weinberg zack.weinb...@sv.cmu.edu writes: Or perhaps the mere presence of a DKIM record is sufficient deterrent against spam with forged From addresses at a particular domain, and that's the only thing these organizations thought DKIM was good for. I think it's more likely that DKIM is

Re: [cryptography] anyone got a how not to use OpenSSL list?

Patrick Mylund Nielsen cryptogra...@patrickmylund.com writes: Guess what his optimization was. Yup, he tried every combination of things in SSLCipherSuite and simply chose the one with the lest CPU... I've run into similar things, I've had (potential) users of my software reject it because it

Re: [cryptography] The lesser-known public key in embedded devices

Marek Lukaszuk m.lukas...@gmail.com writes: Have you seen this https://code.google.com/p/littleblackbox/ ? Yes, they're not in the littleblackbox list, which is why I asked here. Peter. ___ cryptography mailing list cryptography@randombit.net

Re: [cryptography] Inappropriate Use of Adobe Code Signing Certificate

ianG i...@iang.org writes: from a risk analysis view, the sensible thing to do is to attack the bureaucracy not the HSM. The problem with attacking the HSM is that it becomes obvious, a property sometimes known as tamper-evidence. Either by stealing it or accessing it (I speculate the exploit

Re: [cryptography] chaos-based cryptosystem with quantum crypto similarities

d...@geer.org writes: I clearly need to read something else first. Suggestions? One of Underwood Dudley's books perhaps? Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Preemptive compromise of Apple ID accounts

I just got email from Apple asking me to confirm setting up a rescue email address for my Apple ID account (I haven't owned any Apple products since the IIe). It's the real thing from Apple, not a phishing email. So it looks like attackers have gone beyond social engineering access to Apple

Re: [cryptography] Intel RNG

coderman coder...@gmail.com writes: On Tue, Jun 19, 2012 at 12:48 AM, Marsh Ray ma...@extendedsubset.com wrote: ... Right, 500 MB/s of random numbers out to be enough for anybody. these rates often are not useful. even busy secure web or VPN servers use orders of magnitude less. initialization

Re: [cryptography] Intel RNG

Tim Dierks t...@dierks.org writes: While this is all true, it's also why manufacturers who want persuasive analysis of their products hire consulting vendors with a brand and track record strong enough that the end consumer can plausibly believe that their reputational risk outweighs the

Re: [cryptography] can the German government read PGP and ssh traffic?

Thierry Moreau thierry.mor...@connotech.com writes: Unless automated SSH sessions are needed (which is a different problem space), the SSH session is directly controlled by a user. Then, the private key is stored encrypted on long term storage (swap space vulnerability remaining, admittedly) and

Re: [cryptography] can the German government read PGP and ssh traffic?

Peter Maxwell pe...@allicient.co.uk writes: Why on earth would you need to spread your private-key across any number of less secure machines? The technical details are long and tedious (a pile of machines that need to talk via SSH because telnet and FTP were turned off/firewalled years ago, I

Re: [cryptography] can the German government read PGP and ssh traffic?

Marsh Ray ma...@extendedsubset.com writes: Perhaps someone who knows German can better interpret it. The government was asked are encrypted communications creating any difficulties for law enforcement in terms of pursuing criminals and terrorists?. The government replied no, not really, so

Re: [cryptography] can the German government read PGP and ssh traffic?

Werner Koch w...@gnupg.org writes: Which is not a surprise given that many SSH users believe that ssh automagically make their root account save and continue to use their lame passwords instead of using PK based authentication. That has its own problems with magical thinking: Provided you use PK

[cryptography] An oldie but a goodie

In the 1980s DEC gave us crypt16, reducing password-guessing from 25 DES operations to a suffix search requiring only 5 DES operations. In the 1990s MS gave us LMHASH, reducing it to a single DES operation. Now, in 2012, the WiFi Alliance is proud to present WPS' wps_reg, which splits a 7-digit

Re: [cryptography] Anyone seen this CA before?

Jon Callas j...@callas.org writes: That's hilarious! I love it! But I see some security problems: [...] One final one: There's no (implied) guarantee that any money changed hands. How can I trust a CA certificate if no-one paid for it? This destroys the very foundations of commercial PKI and

Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)

Jeffrey Walton noloa...@gmail.com writes: Is there any benefit to using an exponent that factors? I always thought low hamming weights and primality were the desired attributes for public exponents. And I'm not sure about primality. Seeing a CA put a key like this in a cert is a bit like walking

Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)

Jon Callas j...@callas.org writes: On Mar 23, 2012, at 6:03 AM, Peter Gutmann wrote: Jeffrey Walton noloa...@gmail.com writes: Is there any benefit to using an exponent that factors? I always thought low hamming weights and primality were the desired attributes for public exponents. And I'm

Re: [cryptography] RSA Moduli (NetLock Minositett Kozjegyzoi Certificate)

Adam Back a...@cypherspace.org writes: I presume its implied (too much tongue in cheek stuff for my literal brain to interpret) but a self-signed CA cert is a serious thing Replying partially to this and partially to an off-list message about how do we know it's genuine, look in your browser's

[cryptography] Diginotar summary

The following is an attempt to gather all the information on the Diginotar meltdown in one place. There's references to external sources ([REF...]) and cross-links (!!) which aren't present in the text, but apart from that it should be pretty complete. I've posted it here in case anyone

  1   2   3   >