Does anyone have any estimates for the project cost of employing HSMs at
a single task? (e.g., protecting / deploying a single secret, not a
network of them.)
I'm not looking for sticker prices but project costings, including:
spare devices, programming, work-throughs and transfers,
Well the length extension is not fully flexible. ie you get SHA1( msg )
which translates into msg-blocks || pad msg-length which is then fed to
SHA1-transform, and the IV is some magic values.
So the length extension is if you start with a hash that presumably you dont
know all the msg-blocks.
Ian,
I've led or been involved with several projects in academia that have used
HSMs as a basis for a CA. I can't say I've done a cost analysis at the level of
granularity you seem to be looking for, but I will say that at a high-level,
the added personnel costs of integrating and maintaining
But as SHA-2 is still a pure Merkle–Damgård construction it deviates
from an ideal pseudorandom function or random oracle in a couple of
ways.
Firstly, and most significantly, it is subject to length extension
attacks. This means that given a hash value of some secret message,
we can
Cop tools easily bypass 4-digit passcodes
By John Leyden • Get more from this author
Posted in Enterprise Security, 10th April 2012 08:22 GMT
Analysis Forensic tools against smartphones allow basic 4-digit phone passcodes
to be bypassed in minutes.
However, more complex passcodes are far
On Apr 10, 2012, at 10:32 AM, Natanael wrote:
Just FYI, there's been claims that these guys faked it. But on the other
hand, there ARE other tools that can extract data from iPhones so you can
bruteforce the encryption later.
I'm pretty certain they faked it. The question is how they
Hello,
If you're selling a forensic toolkit, it is not untrue that you could do it
in a few minutes on average. It's not what I'd call responsible, though
I'd be inclined to agree with Jon's analysis, as have others:
The “two minutes” it takes to crack your passcode will only hold true if
The station-to-station protocol -- a digitally-signed Diffie-Hellman exchange
-- should do what you want.
On Apr 10, 2012, at 7:59 PM, King Of Fun wrote:
I am looking for a protocol that will provide mutual authentication and key
exchange with a minor twist: the client and server have RSA
Not wishing to comment on PIN cracking, but here is some evidence that
the BYOD phenomena and iPhones are starting to get serious attention:
http://dsd.gov.au/publications/iOS5_Hardening_Guide.pdf
(We should look for an NSA equiv, I recall their hardening guide for Mac
OSX was far more
On Tue, Apr 10, 2012 at 1:07 PM, Randall Webmail rv...@insightbb.com wrote:
Cop tools easily bypass 4-digit passcodes
By John Leyden • Get more from this author
Posted in Enterprise Security, 10th April 2012 08:22 GMT
Analysis Forensic tools against smartphones allow basic 4-digit phone
On Tue, Apr 10, 2012 at 2:36 PM, Jon Callas j...@callas.org wrote:
On Apr 10, 2012, at 10:32 AM, Natanael wrote:
Just FYI, there's been claims that these guys faked it. But on the other
hand, there ARE other tools that can extract data from iPhones so you can
bruteforce the encryption later.
On Tue, Apr 10, 2012 at 8:50 PM, ianG i...@iang.org wrote:
Not wishing to comment on PIN cracking, but here is some evidence that the
BYOD phenomena and iPhones are starting to get serious attention:
http://dsd.gov.au/publications/iOS5_Hardening_Guide.pdf
(We should look for an NSA equiv, I
On 9/04/12 13:33 PM, James A. Donald wrote:
On 2012-04-09 10:17 AM, Steven Bellovin wrote:
I'd put most of it down to conflicting agendas -- even people
you regard as evil don't see themselves that way; they
simply have a different definition -- agenda -- for good.
An agenda which requires
13 matches
Mail list logo
