Re: [cryptography] what has the NSA broken?
Most private keys are issued by, not merely certified by, the CAs. If issued by, not private. Chances are the controlling authority also gets a copy of that private key. To install your keys on your https server is painful, despite numerous people assuring me it is easy, and involves transporting the secret key hither and yon, even when done correctly. And it is never correct to transport secret keys hither and yon. It would be far easier if installation of an http server /automatically generated the private key on the server that the private key was to secure/, so as to minimize private key transport, automatically creating a self signed certificate, and then you could send off the self signed certificate to be made into a CA signed certificate while continuing to use the same private key, so that when you set up a server, you never have to be aware of the existence of such a thing as a private key, merely a certificate. Also, of course, browsers should not put up horrible scary warnings about self signed keys, treating them instead as at worst no worse than http, and, at best, taking advantage of key continuity. It seems to me that the current complicated user hostile system for getting servers certified is designed to create and maintain a massive security hole, that it would be a lot easier to do things the right way, while now we are doing things the wrong way. From the point of view of the person configuring a server, the public key should just be a guid that the server randomly generates to uniquely identify itself, the CA certifies the association of this guid with an organization and/or domain name, and as for the private key, no one should know about that, therefore, no one should ever have to care about that or think about that. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Bruce Schneier on BULLRUN and related NSA programs
Thanks for this pointer which leads to Schneier's two reports in the Guardian about cooperating with Greenwald. As head of BT security it is hard to believe that Schneier did not know about BT's covert cooperation with GCHQ and NSA. His NDA with BT would likely prevent disclosing that knowledge along with protection of his vaunted rep as an incorruptible FOI battler. Similarly with other notable comsec wizards, the duplicity of NSA and GCHQ should not be a surprise unless pretense of surprise is part of the highly rewarding covert cooperation. Cryptographers are of necessity shady operators, the louder they profess trustworthiness the more likely not, NSA and GCHQ role models and dispensers of lucre the role model. I seem to recall that there is an inverse relationship between advertized trust and deserved. Modest and quiet cryptographers have superior ethics over word artists. So a good match between commercially successful essayists Schneier and Greenwald. Let the haughty rhetoric gush. And as Schneier blogs, wise to keep secrets in their pocket(book)s. And as he demurs to the Guardian and others on why not release all the Snowden docs, presumably the docs need careful vetting to prevent embarassing disclosures of duplicity of media and comsec wizards, a tradition as old as comsec. Schneier's aptly revealing humor about crypto weakness: it's never the math, its the agents of the code. At 03:49 AM 9/6/2013, you wrote: select quotes from The NSA Is Breaking Most Encryption on the Internet http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted. ... [regarding magic curve constants] Bruce Schneier September 5, 2013 4:07 PM I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry. ... Bruce Schneier September 5, 2013 7:32 PM You recommended to 'Prefer symmetric cryptography over public-key cryptography.' Can you elaborate on why? It is more likely that the NSA has some fundamental mathematical advance in breaking public-key algorithms than symmetric algorithms. [EDITOR: the safety margin for key lengths over time is definitely more reassuring for symmetric ciphers*. and aggravating that hardware security products and other encryption appliances and systems do not accomodate 4k or even 2k keys well, not to mention the varied cipher suites you may prefer...] ... Bruce Schneier September 5, 2013 4:58 PM Why are you not going to write about those 'other few things'? Can you write about the here please? I want to keep some secrets in my back pocket. * key length recommendations in bits Lenstra and Verheul Equations (2000) symmetric: 70 pubkey. 952 hash: 140 compare to: ECRYPT II 2011-2015 symmetric: 80 pubkey: 1248 hash: 160 and considering projection: ECRYPT II 2041 symmetric: 256 pubkey: 15424 hash: 512 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Eccentric Authentication again
Hello all, I've written two new blog entries on eccentric authentication. The protocol that uses client certificates and a local CA to distribute public keys between strangers in a secure way. Please read in this order: http://eccentric-authentication.org/blog/2013/08/31/the-holy-grail-of-cryptography.html http://eccentric-authentication.org/blog/2013/09/05/a-subversive-idea.html I'd love to hear comments, remarks, improvements. Regards, Guido. signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] regarding the NSA crypto breakthrough
On Thu, Sep 05, 2013 at 10:47:10AM -0700, coderman wrote: of all the no such agency disclosures, this one fuels the most wild speculation. It is reported that the journalists deliberately withheld details which are available in Snowden's original documents. Somebody better leak these, fast. The claims are that some code and magic constants have been weakened, but also that NSA still has problems with some methods. We need to know. Obviously, as a short-term workaround there's fallback to expensive/inconvenient methods like one-time pads, but long-term we obviously need new cyphers. Not tainted by any TLA poison. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] regarding the NSA crypto breakthrough
You're right. http://cpunks.wordpress.com/2013/09/06/how-to-remain-secure-against-surveillance-a-practical-guide/ --Michael 06.09.2013 11:01 Eugen Leitl eu...@leitl.org: On Thu, Sep 05, 2013 at 10:47:10AM -0700, coderman wrote: of all the no such agency disclosures, this one fuels the most wild speculation. It is reported that the journalists deliberately withheld details which are available in Snowden's original documents. Somebody better leak these, fast. The claims are that some code and magic constants have been weakened, but also that NSA still has problems with some methods. We need to know. Obviously, as a short-term workaround there's fallback to expensive/inconvenient methods like one-time pads, but long-term we obviously need new cyphers. Not tainted by any TLA poison. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Matthew Green: An understated response to the NSA and unidentifed friends treachery
An understated response to the NSA and unidentifed friends treachery: http://blog.cryptographyengineering.com/2013/09/on-nsa.html More of these expected, many. But who knows, as Green says, all could go back to swell comsec business as usual. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] FBI OpenBSD Backdoors and RSA Cipher Vulnerability
12 January 2012. FBI OpenBSD Backdoors and RSA Cipher Vulnerability: http://cryptome.org/2012/01/0032.htmhttp://cryptome.org/2012/01/0032.htm ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Opening Discussion: Speculation on BULLRUN
- Forwarded message from arxlight arxli...@arx.li - Date: Fri, 06 Sep 2013 00:46:15 +0200 From: arxlight arxli...@arx.li To: cryptogra...@metzdowd.com Subject: Re: [Cryptography] Opening Discussion: Speculation on BULLRUN User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What surprises me is that anyone is surprised. If you believed OpenBSD's Theo de Raadt and Gregory Perry back in late 2010, various government agencies (in this specific case the FBI- though one wonders if they were the originating agency) have been looking to introduce weaknesses wholesale into closed AND open source software and OS infrastructures for some time. Over a decade in his example. (See: http://marc.info/?l=openbsd-techm=129236621626462w=2) Those of us old enough might marvel at the fact that going back to the late 1980s a huge dust up was caused by the allegations that Swiss firm Crypto AG introduced backdoors into their products at the behest of Western (read: United States and the BND) intelligence agencies, products that, at the time, were in widespread use by foreign governments who, one presumes, could not afford to field their own national cryptology centers to protect their own infrastructure (or were just lazy and seduced by a Swiss flag on the corporate domicile of Crypto AG). For the unwashed on the list, Wikipedia (and Der Spiegel) relate the story of (probably) hapless Crypto AG salesman Hans Buehler's 1992 arrest by the Iranian authorities after those allegations came to light, and the fact that Crypto AG paid a $1m ransom for him (but then later billed him for the $1m--you stay classy, Crypto AG). (See: http://en.wikipedia.org/wiki/Crypto_AG) But fear not. Governments and NGOs around the world will be pleased to know that Crypto AG lives on and continues to provide superior crypto and security solutions to foreign institutions of all kinds, including: National security councils, national competence centres, e-government authorities, encryption authorities, national banks, ministries of defence, combined/joint commands, cyber commands, air forces, land forces, naval forces, special forces, military intelligence services, defence encryption authorities, ministries of foreign affairs and numerous international organisations, ministries of the interior, presidential guards, critical infrastructure authorities, homeland security authorities, intelligence services, police forces, and cyber forces. (See: http://www.crypto.ch/ - The inclusion of a shot of the Patrouille Suisse is an especially nice touch. I often drive by their offices in Steinhausen and was stunned to realize a few years ago that they are thriving- I can only imagine what the mortgage on that place costs). I expect that today many of us feel quite naive at being shocked by those penetration revelations (sorry, allegations) given that it seems highly probable now that anyone using any sort of Microsoft, Cisco, Google, Facebook, Yahoo, YouTube, Skype, AOL or Apple product has now been elevated to a collection priority that seemed confined to the Irans of the world in the 1990s and early 2000s. Perry wondered after the unpardonable carelessness of the NSA in giving 50,000 Snowden's access to a Powerpoint with all the Prism partners. I would argue that the NSA had good cause to think no one would notice or care given how many people who should know MUCH MUCH better still send Crypto AG scads of money. And going back to the days of toad.com hasn't this always been the story? Security is expensive. Most people (and some governments) are cheap. There's something about the present political climate in the United States that really interests me. Mere mention of the word fascism in any context other than sarcasm seems to brand one quite instantly as a tin-foil nutjob. Granted, I think the world fascism is as overused as the word communism, but it bears mentioning that the usurpation of corporate entities and industry by the state to its own purposes is one of the classic tenants of fascism. I'm sure the list's readers sense where I'm going with this by now. It is hard to escape noticing that the NSA and its sister and orbital agencies have long since broken the traditional firewall and morphed themselves into domestic surveillance agencies. But the United States is late to the party here. In the world of finance it was long understood that certain state-dominated Russian firms were front-running a number of U.S. economic indicators prior to release. The rumor at the time was that this activity stopped cold after a security audit at the offending U.S. agencies. It's possible that the story was apocryphal, but I sort of doubt it. The economic intelligence apparatus of foreign intelligence services was the place to be if you wanted to find yourself in the good graces of your nation-state. (It's not an accident that Nikolay Patolichev,
Re: [cryptography] Matthew Green: An understated response to the NSA and unidentifed friends treachery
On 9/6/13, John Young j...@pipeline.com wrote: An understated response to the NSA and unidentifed friends treachery: http://blog.cryptographyengineering.com/2013/09/on-nsa.html More of these expected, many. But who knows, as Green says, all could go back to swell comsec business as usual. Linked from said blog... http://software.intel.com/en-us/blogs/2012/05/14/what-is-intelr-secure-key-technology Bull Mountain Technology ... BULLRUN. Bullshit naming coincidence or genuine cooperative wordplay? ;) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] what has the NSA broken?
2013/9/6 ianG i...@iang.org Hmmm, curious. I haven't seen that. I would also suspect it breaks a lot of CPSs and user agreements. But no matter, they're all broken anyway. A 'user agreement' is an agreement between a company and a 'user'. All claims in it shall hold valid unless law dictates otherwise. Ask the NSA, law does dictate otherwise. Note that the NSA is not bound by laws from countries other than the USoA. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Compositing Ciphers?
On Fri, Sep 6, 2013 at 7:27 PM, Jeffrey Walton noloa...@gmail.com wrote: I've been thinking about running a fast inner stream cipher (Salsa20 without a MAC) and wrapping it in AES with an authenticated encryption mode (or CBC mode with {HMAC|CMAC}). My own very subjective opinion is that assuming all of: constant time implementations, an appropriate cipher mode, proper {key management, RNG, local end-point security}, then AES is perfectly safe. Of course, that's a lot of assumptions! You'll almost certainly fail at the local end-point security part. Long before your choice of ciphers is attacked your systems/protocols will have succumbed to other, cheaper attacks -- assuming they are targeted at all. I'm aware of, for example, NSA's Fishbowl running IPSec at the network layer (the outer encryption) and then SRTP and the application level (the inner encryption). But I'd like to focus on hardening one cipherstream at one level, and not cross OSI boundaries. If you have the hardware for it, that's fine. I wouldn't bother composing ciphers in any given layer. Has anyone studied the configuration and security properties of a inner stream cipher with an outer block cipher? Well, yes, it's been studied. Look for papers on 3DES, for example. Make sure not to make mistakes that leave you susceptible to meet-in-the-middle type attacks. But, really, first make sure that you've covered the other bases, the ones that are going to be your achilles' heel if you don't, such that your adversaries have no choice but to attack the crypto. THEN concern yourself with improving the crypto. IMO. Also, IANAC. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Compositing Ciphers?
On Fri, Sep 6, 2013 at 8:53 PM, Natanael natanae...@gmail.com wrote: http://blog.cryptographyengineering.com/2012/02/multiple-encryption.html Apparently it's called cascade encryption or cascade encipherment, and the implementations are apparently called robust combiners. And by the way, Truecrypt already lets you pick your chosen combo of AES and two other ciphers. Ah, right. I knew that was called cascading. I'm not sure why I called it compositing (it sucks getting old). I did not know Truecrypt provided it. I think you should worry about your PRNG and it's seed before you focus on AES. Your key should both have enough entropy and be secret. Is your PRNG backdoored already? And I'm guessing the cipher mode probably matters a bit more than the exact choice of algorithm. I believe the PRNG is good. The PRNG fetches from the OS, fetches from device sensors (accelerometers, gyroscopes, magnetometers), and practices hedging. I'm more worried about key exchange or agreement. Jeff On Sat, Sep 7, 2013 at 2:27 AM, Jeffrey Walton noloa...@gmail.com wrote: Hi All, With all the talk of the NSA poisoning NIST, would it be wise to composite ciphers? (NY Times, Guardian, Dr. Green's blog, et seq). I've been thinking about running a fast inner stream cipher (Salsa20 without a MAC) and wrapping it in AES with an authenticated encryption mode (or CBC mode with {HMAC|CMAC}). I'm aware of, for example, NSA's Fishbowl running IPSec at the network layer (the outer encryption) and then SRTP and the application level (the inner encryption). But I'd like to focus on hardening one cipherstream at one level, and not cross OSI boundaries. I'm also aware of the NSA's lightweight block ciphers (http://eprint.iacr.org/2013/404). I may have been born at night, but it was not last night Has anyone studied the configuration and security properties of a inner stream cipher with an outer block cipher? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Compositing Ciphers?
On Fri, Sep 6, 2013 at 8:05 PM, Jeffrey Walton noloa...@gmail.com wrote: I'm more worried about key exchange or agreement. The list of things to get right is long. The hardest is getting the implementation right -- don't do all that work just to succumb to a remotely exploitable buffer overflow. Next up is physical security. Then key management. Then all the crypto stuff (ciphers, modes, MACs, hash functions, ...). Then the RNG That's assuming off-the-shelf crypto algorithms. And then there's your trusted insiders/counterparties. They are your biggest risk of all, or possibly second biggest, after plain old buffer overflows and similar. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] what has the NSA broken?
On 2013-09-06 11:58 PM, Ralph Holz wrote: I'd be surprised if a majority of CAs insisted on generating the key for you. No one insists, as far as I know. The problem is that idiocy is possible and permissible, not that it is mandatory. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography