On Wed, Nov 24, 2010 at 2:16 PM, Marsh Ray wrote:
> ...
> So are you saying it is or it isn't Cloud-Compliant?
hah, i rant at length on the mistaken security assumptions of cloud
computing. (remember when it was grid computing?, and before that ...)
i'll try to stay on topic. *grin*
> What fre
On 11/24/2010 02:11 PM, coderman wrote:
On Wed, Nov 24, 2010 at 2:49 AM, Marsh Ray wrote:
(that's the abridged version. this is actually more complicated than
many assume, and i've written my own egd's in the past to meet need.)
Ya.
How does this feature interact with virtualization?
for
On Wed, Nov 24, 2010 at 2:49 AM, Marsh Ray wrote:
> ...
> How would you know if it was working properly? Or backdoored?
use an entropy gathering daemon to verify sanity checks on output,
obscure generator state through digest or cipher, and finally mix this
entropy at conservative density entropy
On 11/24/2010 02:58 AM, coderman wrote:
On Tue, Nov 23, 2010 at 10:43 PM, Marsh Ray wrote:
How about all the weak and insufficiently seeded RNGs out there?
it's more than a little annoying how many accelerated crypto
implementations exist while good entropy is still a scarcity.
why isn'
On Tue, Nov 23, 2010 at 10:43 PM, Marsh Ray wrote:
>
> How about all the weak and insufficiently seeded RNGs out there?
it's more than a little annoying how many accelerated crypto
implementations exist while good entropy is still a scarcity.
why isn't this a native instruction on every arc
On 11/23/2010 04:31 PM, travis+ml-rbcryptogra...@subspacefield.org wrote:
On Sat, Nov 20, 2010 at 01:10:53PM +1000, James A. Donald wrote:
Ian G wrote:
The result of 15-20 years is that nobody has ever lost money
because of a cryptographic failure, to a high degree of
reliability.
How about a
On Tue, Nov 23, 2010 at 02:31:25PM -0800,
travis+ml-rbcryptogra...@subspacefield.org wrote:
> IMHO, having attackers move to other systems (or attack parts of a
> system you designed), is a sign of success, not failure. If you
> designed that system (or part), that's the best possible outcome.
E
On 2010-11-24 8:31 AM, travis+ml-rbcryptogra...@subspacefield.org wrote:
Successful systems tend to be evolutionary rather than revolutionary
when there's a non-trivial ecosystem around them.
The fundamental security flaw is that we have a name system that does
not scale. Evolution rather tha
On 24/11/10 7:51 AM, travis+ml-rbcryptogra...@subspacefield.org wrote:
On what basis do you make the (implicit) assumption that cert privkeys
were actually stolen?
For me, it would be Preponderance of evidence, or in non-legal terms
"more likely than not."
Note; I do not claim to have any
On Sat, Nov 20, 2010 at 01:10:53PM +1000, James A. Donald wrote:
> Ian G wrote:
>> The result of 15-20 years is that nobody has ever lost money because of
>> a cryptographic failure, to a high degree of reliability.
>
> How about all the money lost because Wifi security does not work?
How about ac
On what basis do you make the (implicit) assumption that cert privkeys
were actually stolen?
Note; I do not claim to have any evidence the pubkeys were factored,
etc., I'm just wondering on what basis you jump to assuming it was
a node security failure.
--
Good code works on most inputs; correct
Ian G writes:
>It sucks so badly, I decided in future that the only moral and ethical way
>one could use the words encryption or security or the like in any
>conversation was if the following were the case:
>
> there is only one mode, and it is secure.
Something similar was done by the CORBA
On 21/11/10 8:37 AM, Marsh Ray wrote:
On 11/19/2010 05:39 PM, Ian G wrote:
I don't think this qualifies as a bait-and-switch scenario because the
originally-advertised functionality (the bait) is still part of the
package.
:)
Bait-and-switch would be more like a salesperson saying "No, I'
On Sat, Nov 20, 2010 at 1:37 PM, Marsh Ray wrote:
> ...
> The best term for this that I can think of is plain old "exaggeration", but
> I don't feel like that really captures the idea. It's more that the claims
> are extended beyond their original domain, to the point where they may no
> longer ap
On 11/19/2010 05:39 PM, Ian G wrote:
On 20/11/10 6:26 AM, travis+ml-rbcryptogra...@subspacefield.org wrote:
Does the fact that parts of Stuxnet was signed by two valid certs
count as a cryptographic failure?
Short answer: no.
Medium answer: if you look at the so-called Internet Threat Model
Hello Ian,
On 19/11/10 23:39, Ian G wrote:
> On 20/11/10 6:26 AM, travis+ml-rbcryptogra...@subspacefield.org wrote:
>> On Sat, Oct 16, 2010 at 12:29:07PM +1100, Ian G wrote:
>>> On this I would demure. We do have a good metric: losses. Risk
>>> management starts from the business, and then move
travis+ml-rbcryptogra...@subspacefield.org writes:
>Does the fact that parts of Stuxnet was signed by two valid certs
>count as a cryptographic failure?
The crypto worked perfectly, it was everything around it that failed.
(Which has been the case for every other security failure involving modern
> > A common, perhaps the most common, attack on corporations is
> to get
> > inside the corporate network through wifi, then mount an sql
> injection> attack on the corporate database, then steal the
> corporate database.
> > This often causes extremely large monetary losses.
A very large perc
On 20/11/10 2:10 PM, James A. Donald wrote:
Ian G wrote:
On this I would demure. We do have a good metric: losses. Risk
management starts from the business, and then moves on to how losses are
effecting that business, which informs our threat model.
We now have substantial measureable history o
Ian G wrote:
On this I would demure. We do have a good metric: losses. Risk
management starts from the business, and then moves on to how losses are
effecting that business, which informs our threat model.
We now have substantial measureable history of the results of open use
of cryptography.
Ian G writes:
> As I say, highly counter-culture and widely disagreed :)
Really? I think this audience at least is likely to agree with you. I do,
particularly your hypothesis 5 (I learned it from Saltzer et al.).
Granted, there are all these people who believe that DNS and BGP and so on
should
>
> Does the fact that parts of Stuxnet was signed by two valid certs
> count as a cryptographic failure?
>
Of course not. Does it count as a DMV failure if a bank robber has a valid
drivers license?
None of us have ever claimed that only good people can use cryptography. As a
matter of fact,
On 20/11/10 6:26 AM, travis+ml-rbcryptogra...@subspacefield.org wrote:
On Sat, Oct 16, 2010 at 12:29:07PM +1100, Ian G wrote:
On this I would demure. We do have a good metric: losses. Risk
management starts from the business, and then moves on to how losses are
effecting that business, which
On Sat, Oct 16, 2010 at 12:29:07PM +1100, Ian G wrote:
> On this I would demure. We do have a good metric: losses. Risk
> management starts from the business, and then moves on to how losses are
> effecting that business, which informs our threat model.
>
> We now have substantial measureabl
On Thu, Oct 14, 2010 at 01:32:41PM -0500, Marsh Ray wrote:
> No one's yet published a preimage for MD5, a seriously broken 128 bit
> function, so I doubt you'll find anyone who will express confidence that
> they can find a preimage for any reasonable 384 or 512 bit hash function.
Only one pro
On Oct 15, 2010, at 7:15 PM, James A. Donald wrote:
> On 2010-10-16 6:33 AM, Jon Callas wrote:
> > If you assume that there are Moore's-Law-Equivalent
> > increases in compute power indefinitely, then 128-bit
> > security is good until about 2050-2060, and 256-bit
> > security is good until 2150
On 2010-10-16 6:33 AM, Jon Callas wrote:
> If you assume that there are Moore's-Law-Equivalent
> increases in compute power indefinitely, then 128-bit
> security is good until about 2050-2060, and 256-bit
> security is good until 2150 or so. On the one hand, we know
> that semiconductor improvemen
Hi Steven and all,
On 16/10/10 1:56 AM, Steven Bellovin wrote:
There are many possible answers to your query -- including, of course, "you're
right" -- but maybe we should be a little bit more charitable. Maybe, in fact,
they're right.
I think one of the flaws in all this is the old
"w
Zooko,
Let me try to explain the rationale for some of this. Note that explaining is
not the same thing as agreeing with.
I have to give a small ironic smile to hear you ask these questions while
you've also advocated for hundred-year digital signatures. If you want
hundred-year crypto, you wa
There are many possible answers to your query -- including, of course, "you're
right" -- but maybe we should be a little bit more charitable. Maybe, in fact,
they're right.
The real goal is a certain degree of security -- an enemy cannot usefully
attack it. By "useful" I mean "in time to caus
On 10/14/2010 10:09 PM, Zooko O'Whielacronx wrote:
This part is a technical mistake, see
http://cr.yp.to/hash/collisioncost-20090517.pdf .
I wouldn't be
surprised if you are right that this is how NIST came up with the
requirement for a 512-bit hash function though.
NIST may not really need
It's because cryptographers don't really have more imagination than, say, TV
screen OEMs: bigger is better, simply because they don't know to do anything
else. It doesn't matter that there is no bandwidth to fill that screen, that
there is really no content worth watching, that the effective ang
I like the way you think.
On Thu, Oct 14, 2010 at 12:32 PM, Marsh Ray wrote:
>>
>> What if a hash has 512-bit collision-resistance? What would that mean?
>> That an attacker might spend about 2^512 resources to find a collision
>> in it?
>
> The attacker can match any hash he generates with any o
Oh, and now I need to follow-up to my follow-up to correct an
over-simplification.
On Thu, Oct 14, 2010 at 8:33 PM, Zooko O'Whielacronx wrote:
> I know that collision resistance
> is approximately as difficult to achieve as the square of pre-image
> resistance is.
Actually the above is true only
Following-up to my own post to correct a goof:
On Wed, Oct 13, 2010 at 10:56 PM, Zooko O'Whielacronx wrote:
>
> If a hash has 32-bit pre-image-resistance then this means an attacker
> might spend about 2^32 resources to find a pre-image.
>
> If a hash has 64-bit pre-image-resistance then this mea
On 10/14/2010 02:49 PM, Samuel Neves wrote:
On 14-10-2010 19:32, Marsh Ray wrote:
3. There are quantum computer attacks theorized which appear to cut
the exponent in half again. Thus a 256 bit hash could possibly be
collided in 264 operations on some future machine.
Is there a source for this
On 14-10-2010 19:32, Marsh Ray wrote:
> 3. There are quantum computer attacks theorized which appear to cut
> the exponent in half again. Thus a 256 bit hash could possibly be
> collided in 264 operations on some future machine.
Is there a source for this? The only quantum approach I've heard of,
On 10/13/2010 11:56 PM, Zooko O'Whielacronx wrote:
What if a hash has 512-bit collision-resistance? What would that mean?
That an attacker might spend about 2^512 resources to find a collision
in it?
The attacker can match any hash he generates with any other, not just
one specific target val
On 14/10/10 3:56 PM, Zooko O'Whielacronx wrote:
In any case, I'm pretty sure that as a *user* of hash functions what I
care about is "more likely to fail" (and efficiency), not about "bits
of security" for any bit-level greater than about 128 (including
consideration of quantum attacks, multi-ta
On 14/10/10 05:56, Zooko O'Whielacronx wrote:
What if a hash has 512-bit collision-resistance? What would that mean?
That an attacker might spend about 2^512 resources to find a collision
in it? That is a meaningless possibility to discuss since 2^512
resources will never exist in the life of thi
"Zooko O'Whielacronx" writes:
>What if a hash has 512-bit collision-resistance? What would that mean?
That the phenomenon of zero-risk bias is alive and flourishing in the security
fashion industry?
Peter.
___
cryptography mailing list
cryptography@ra
Dear cryptography@randombit.net:
I just sent this letter to a mailing list of SHA-3 designers. I
thought you might be interested in the general question.
Regards,
Zooko
Folks:
If a hash has 32-bit pre-image-resistance then this means an attacker
might spend about 2^32 resources to find a pre-i
42 matches
Mail list logo
