Re: [cryptography] Dissentr: A High-Latency Overlay Mix Network
Hi Eugen, did you evaluated about leveraging existing Tor network properties by running Dissentr over Tor network by default, to achieve some better security properties? -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org Il 9/24/13 4:52 PM, Eugen Leitl ha scritto: https://github.com/ShaneWilton/dissentr Note: This project was created as part of a 36-hour hackathon - and primarily as a proof of concept. While the ideas may be sound, and the prototype may work as designed, the protocols involved in this specific project have not been peer-reviewed, and so I cannot recommend that the network be used for anything requiring serious privacy. Dissentr A High-Latency Overlay Mix Network ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] forward-secrecy =2048-bit in legacy browser/servers? (Re: [Cryptography] RSA equivalent key length/strength)
On Wed, Sep 25, 2013 at 11:59:50PM +1200, Peter Gutmann wrote: Something that can sign a new RSA-2048 sub-certificate is called a CA. For a browser, it'll have to be a trusted CA. What I was asking you to explain is how the browsers are going to deal with over half a billion (source: Netcraft web server survey) new CAs in the ecosystem when websites sign a new RSA-2048 sub-certificate. This is all ugly stuff, and probably 3072 bit RSA/DH keys should be deprecated in any new standard, but for the legacy work-around senario to try to improve things while that is happening: Is there a possibility with RSA-RSA ciphersuite to have a certified RSA signing key, but that key is used to sign an RS key negotiation? At least that was how the export ciphersuites worked (1024+ bit RSA auth, 512-bit export-grade key negotation). And that could even be weakly forward secret in that the 512bit RSA key could be per session. I imagine that ciphersuite is widely disabled at this point. But wasnt there also a step-up certificate that allowed stronger keys if the right certificate bits were set (for approved export use like banking.) Would setting that bit in all certificates allow some legacy server/browsers to get forward secrecy via large, temporary key negotiation only RSA keys? (You have to wonder if the 1024-bit max DH standard and code limits was bit of earlier sabotage in itself.) Adam ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] The Unbreakable Cipher
NSA Technical Journal published The Unbreakable Cipher in Spring 1961. http://www.nsa.gov/public_info/_files/tech_journals/The_Unbreakable_Cipher.pdf Excerpts: [Quote] David Kahn, Lyen Otuu Wllwgh WI Etjown pp. 71, 83, 84, 86, 88 and 90 of the New York Times Magazine November 13, 1960 says that an unbreakable cipher system can be made from one time key that is absolutely random and never repeats. ... For each cipher system there is an upper bound to the amount of traffic it can protect against cryptanalytic attack. What is cryptanalytic attack? It is a process applied to cipher text in order to extract information, especially information contained in the messages and intended to be kept secret. If some of the information is gotten by other means and this results in more being extracted from the cipher, this is (at least partially) a successful attack. If certain phrases can be recognized when they are present, this is successful cryptanalysis. If a priori probabilities on possible contents are altered by examination of the cipher, this is cryptanalytic progress. If in making trial decipherments it is possible to pick out the correct one then cryptanalysis is successful. ... Another example is that of Mr. Kahn, one-time key. Here the limit is quite clear; it is the amount of key on hand. The key arrives in finite messages, so there is only a finite amount on hand at anyone time, and this limits the amount of traffic which can be sent securely. Of course another shipment of key raises this bound, but technically another cipher system is now in effect, for by my definition a cipher system is a message. A sequence of messages is a sequence of cipher systems, related perhaps, but not the same. ... [Answer to the question:] Does there exist an unbreakable cipher would be this, Every cipher is breakable, given enough traffic, and every cipher is unbreakable, if the traffic volume is restricted enough. [End quote] Is this conclusion still valid? If so, what could be done to restrict traffic volume to assure unbreakablility? And how to sufficiently test that. Presuming that NSA and cohorts have investigated this effect. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Unbreakable Cipher
For your question: Session keys and key rotation? Den 25 sep 2013 16:11 skrev John Young j...@pipeline.com: NSA Technical Journal published The Unbreakable Cipher in Spring 1961. http://www.nsa.gov/public_info/_files/tech_journals/The_Unbreakable_Cipher.pdf Excerpts: [Quote] David Kahn, Lyen Otuu Wllwgh WI Etjown pp. 71, 83, 84, 86, 88 and 90 of the *New York Times Magazine *November 13, 1960 says that an unbreakable cipher system can be made from one time key that is absolutely random and never repeats. ... For each cipher system there is an upper bound to the amount of traffic it can protect against cryptanalytic attack. What is cryptanalytic attack? It is a process applied to cipher text in order to extract information, especially information contained in the messages and intended to be kept secret. If some of the information is gotten by other means and this results in more being extracted from the cipher, this is (at least partially) a successful attack. If certain phrases can be recognized when they are present, this is successful cryptanalysis. If a priori probabilities on possible contents are altered by examination of the cipher, this is cryptanalytic progress. If in making trial decipherments it is possible to pick out the correct one then cryptanalysis is successful. ... Another example is that of Mr. Kahn, one-time key. Here the limit is quite clear; it is the amount of key on hand. The key arrives in finite messages, so there is only a finite amount on hand at anyone time, and this limits the amount of traffic which can be sent securely. Of course another shipment of key raises this bound, but technically another cipher system is now in effect, for by my definition a cipher system is a message. A sequence of messages is a sequence of cipher systems, related perhaps, but not the same. ... [Answer to the question:] Does there exist an unbreakable cipher would be this, Every cipher is breakable, given enough traffic, and every cipher is unbreakable, if the traffic volume is restricted enough. [End quote] Is this conclusion still valid? If so, what could be done to restrict traffic volume to assure unbreakablility? And how to sufficiently test that. Presuming that NSA and cohorts have investigated this effect. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Unbreakable Cipher
On Wed, Sep 25, 2013 at 10:11:33AM -0400, John Young wrote: Is this conclusion still valid? If so, what could be done to restrict traffic volume to assure unbreakablility? And how to sufficiently test that. You need to be able to estimate the rate of information leakage. This seems to be related to measuring RNG entropy, and is considered a hard (perhaps hopeless?) problem. Presuming that NSA and cohorts have investigated this effect. It seems to be possible to construct a family of cyphers based on PRNGs with Very Large Internal State (the shared key is the state) that asymptotically approach (in a special/edge case are exactly equivalent to) one-time pads. You'd tap them for XOR with cleartext through a relatively small (=plenty of hidden state) window (not necessarily contiguous) and use enough iteration rounds to make sure the information has has a chance to propagate through the computational volume. Edge cases are low-dimensional CAs with a suitable rule, which should be easiest to attack. Higher-dimensional CA analoga have a lot of neighborhood cells, and their map to address space looks like a small world network, so state mixes quite rapidly, requiring fewer rounds. Whether making neighborhood itself random versus orthogonal is helping or hindering things is not obvious. Whether to make the neighborhood itself subject to change at each or N rounds is helping or hindering things is not obvious. The actual problem is to build them provably hard to reverse, and rekey (though a secure channel, natch) before they leak enough information about their inner state to be attackable. signature.asc Description: Digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Unbreakable Cipher
On Wed, Sep 25, 2013 at 10:11 AM, John Young j...@pipeline.com wrote: NSA Technical Journal published The Unbreakable Cipher in Spring 1961. http://www.nsa.gov/public_info/_files/tech_journals/The_Unbreakable_Cipher.pdf Excerpts: [Quote] David Kahn, Lyen Otuu Wllwgh WI Etjown pp. 71, 83, 84, 86, 88 and 90 of the *New York Times Magazine *November 13, 1960 says that an unbreakable cipher system can be made from one time key that is absolutely random and never repeats. ... I'm not sure why this was news in 1961; Shannon had this observation a decade earlier and the one-time pad predates that. [Answer to the question:] Does there exist an unbreakable cipher would be this, Every cipher is breakable, given enough traffic, and every cipher is unbreakable, if the traffic volume is restricted enough. [End quote] Is this conclusion still valid? Every cipher is breakable, given enough traffic: in principle, yes, as long as the traffic (formally, the entropy of the traffic) is larger than the keylength. Every cipher is unbreakable, if the traffic volume is restricted enough: not true; the cipher that ignores the key and outputs the message in the clear is not secure for any non-zero traffic. On the other hand, the one-time pad is secure as long as the traffic is less than the keylength. If so, what could be done to restrict traffic volume to assure unbreakablility? And how to sufficiently test that. Presuming that NSA and cohorts have investigated this effect. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Unbreakable Cipher
On Sep 25, 2013, at 9:40 , Jonathan Katz jk...@cs.umd.edu wrote: Every cipher is breakable, given enough traffic: in principle, yes, as long as the traffic (formally, the entropy of the traffic) is larger than the key length. You misstated this. It's breakable if the *redundancy* of the traffic is larger than the key length. regards, Greg. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Unbreakable Cipher
On Wed, Sep 25, 2013 at 1:30 PM, Greg Rose g...@seer-grog.net wrote: On Sep 25, 2013, at 9:40 , Jonathan Katz jk...@cs.umd.edu wrote: Every cipher is breakable, given enough traffic: in principle, yes, as long as the traffic (formally, the entropy of the traffic) is larger than the key length. You misstated this. It's breakable if the *redundancy* of the traffic is larger than the key length. Not so; this is most easily seen by taking the uniform distribution over n-bit messages, in which case the entropy is n and the redundancy is 0. regards, Greg. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] The Compromised Internet
Now that it appears the Internet is compromised what other means can rapidly deliver tiny fragments of an encrypted message, each unique for transmission, then reassembled upon receipt, kind of like packets but much smaller and less predictable, dare say random? The legacy transceiver technologies prior to the Internet or developed parallel to it, burst via radio, microwave, EM emanations, laser, ELF, moon or planetary bounce, spread spectrum, ELF, hydro, olfactory, quanta, and the like. Presumably if these are possible they will remain classified, kept in research labs for advanced study, or shelved for future use. Quite a few are hinted at, redacted and partially described in NSA technical publications from 25-50 or so years ago. Many developed for military use and the best never shared with the public. A skeptic might suppose the internet was invented and promoted as a diversion along with public-use digital cryptography. This ruse has led to immense growth in transmission-breakable ciphers as well as vulnerable transceivers. Packet techology could hardly be surpased for tappability as Snowden and cohorts disclose the tip of the iceberg. Ironically, the cohorts believe encryption protects their communications, conceals his location and cloaks the depositories. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Compromised Internet
On Wed, Sep 25, 2013 at 1:07 PM, John Young j...@pipeline.com wrote: Now that it appears the Internet is compromised What threat are you trying to prevent that isn't already solved by the use of cryptography alone? -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Compromised Internet
Carrier-agnostic encrypted mesh routing software: CJDNS. Cantenna, IR-link based RONJA, ethernet/LAN, whatever. If you've got a data link you can use it. It creates an IPv6 network internally in the 'fc' range (private network) where the address is a hash of the node's public key. On Wed, Sep 25, 2013 at 10:07 PM, John Young j...@pipeline.com wrote: Now that it appears the Internet is compromised what other means can rapidly deliver tiny fragments of an encrypted message, each unique for transmission, then reassembled upon receipt, kind of like packets but much smaller and less predictable, dare say random? The legacy transceiver technologies prior to the Internet or developed parallel to it, burst via radio, microwave, EM emanations, laser, ELF, moon or planetary bounce, spread spectrum, ELF, hydro, olfactory, quanta, and the like. Presumably if these are possible they will remain classified, kept in research labs for advanced study, or shelved for future use. Quite a few are hinted at, redacted and partially described in NSA technical publications from 25-50 or so years ago. Many developed for military use and the best never shared with the public. A skeptic might suppose the internet was invented and promoted as a diversion along with public-use digital cryptography. This ruse has led to immense growth in transmission-breakable ciphers as well as vulnerable transceivers. Packet techology could hardly be surpased for tappability as Snowden and cohorts disclose the tip of the iceberg. Ironically, the cohorts believe encryption protects their communications, conceals his location and cloaks the depositories. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Compromised Internet
On 9/25/13, John Young j...@pipeline.com wrote: Now that it appears the Internet is compromised what other means can rapidly deliver tiny fragments of an encrypted message, each unique for transmission, then reassembled upon receipt, kind of like packets but much smaller and less predictable, dare say random? The legacy transceiver technologies prior to the Internet or developed parallel to it, burst via radio, microwave, EM emanations, laser, ELF, moon or planetary bounce, spread spectrum, ELF, hydro, olfactory, quanta, and the like. Presumably if these are possible they will remain classified, kept in research labs for advanced study, or shelved for future use. There is a spread spectrum radio tech where you broadcast on essentially all frequencies / wideband at once. To the eavesdropper it appears as simply a rise in unlocatable background noise levels. Yet there is a twist... you and your peer posess a crypto key. That key is used to select and form a broadcast/reception frequency map over the entire spectrum. You drive it with software radio. Think of the map as a vertically slotted grille mask over your spectrum analyzer. The grille spacing/width/overlap is random. What you see is your distributed signal hidden in the noise. Pass it down your stack for further processing and decoding. It's been a while since I've seen this described, whether formally, or applied. Link to paper[s] covering the topic would be appreciated. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Compromised Internet
At 04:36 PM 9/25/2013, you wrote: What threat are you trying to prevent that isn't already solved by the use of cryptography alone? Transceiver vulnerabilities of the Internet, seemingly inherently insecure by design. So looking for possibilities of moving encrypted goods by other means not betrayed by faulty shipment and addled by ubiquity and familiarity. Not that that is original by any stretch, wizards are jawing about a new internet, secure by design. May take a while, so workarounds of the present piece of carrion might be useful. Not to overlook a new-fangled Snowden loosening the controls of comsec technology beyond his and our PK-packet-tech era comprehension. So beyond mathematically-enthroned encryption what lies awaiting disclosure. Oldies might suffice if dutifully studied and elaborted. Thus the reference to NSA's backroom of pre-internet-PK comsec tech which could be in the forefront, cutting/bleeding edge. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Compromised Internet
Yes, along those lines. Free of the totally seductively entrapping internet and monomanical PK promiscuity. The slew of innovations to milk the internet and crypto are way stations toward surpassing vulns of both used in concert. Both mutually delude. Each might lead to better alone, paired with different and less familiar means. At 04:29 PM 9/25/2013, you wrote: Free and Open 4G radios/base stations are actually quite exciting for this reason. The thing which actually prevents mesh networks from working is mathematical: past a certain network size, path finding becomes too computationally expensive, so wifi based mesh networks can only cover a certain radius before they stop working. With the 4G spectrum, however, the distances between hops vastly increases, meaning that city-wide mesh networks can grow and remain performant. This allows for free communication and file transfer without centralized authorities. Obviously there are still threats, but there is a lot of freedom gained from network autonomy. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Compromised Internet
At 04:21 PM 9/25/2013, you wrote: About your only choices are hams or (slightly higher budget) microsats with onboard flash and DTN (notice you can deliver packets during flyby). Hams also do launch microsats, so there's some overlap. I've been waiting for consumer phased arrays, just saw Locata VRay today -- perhaps not for much longer now. Prime your phased array with s00per-s3kr1t sat ephemerides, and you're good to go. Really hard to jam, too -- optical ones impossible to jam, even. For very high latency you could just use a global sneakernet. http://what-if.xkcd.com/31/ has some numbers. You could probably already run stock Usenet over uucp over that. Yes, I understand some of these, maybe all, are used for mil-gov-spy communications, likely in pretty advanced versions, and long in use before and with the internet. But not for high-value comsec of the present era. Mil-gov-spy use of and spying on the internet and commercial-grade encryption, https and the like, for low-value communications should indicate much better and more varied means are used for high-value. Smil, intelnet, nsanet, and other intra-IC networks are minimally secure, advertised and touted on internet outlets, thus typical fat food for foodies at lower levels of clearance. Commercial-grade comsec, which is all the public has have access to, appears tailored by standards setting and selective crypto competitons to convince of reliability. Openness promoted as a seal of approval. Fine propaganda that. Now what about what is not known openly. Well, that is what's below Snowden's tip of the iceberg slides, papers and briefings. Where's the hardware specs? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Compromised Internet
On 9/25/13, Rich Jones r...@openwatch.net wrote: That kind of technology is already widely deployed in walkie talkies - I think I remember at HOPE a speaker mentioning that the NYPD used this technique until they abandoned it due to its inconvenience. http://en.wikipedia.org/wiki/Frequency-hopping_spread_spectrum I don't think so, if I recall, it seemed to be a further development of the above linked idea. There might not have been the usual notion of a coded/shared freq hopping sequence in which a carrier transmit data. But more like a continuous parallel broadcast under the mask. Maybe the data was not carried within the freqs but in the choice of freqs themselves. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Compromised Internet
On Sep 25, 2013, at 13:50 , grarpamp grarp...@gmail.com wrote: On 9/25/13, John Young j...@pipeline.com wrote: Now that it appears the Internet is compromised what other means can rapidly deliver tiny fragments of an encrypted message, each unique for transmission, then reassembled upon receipt, kind of like packets but much smaller and less predictable, dare say random? The legacy transceiver technologies prior to the Internet or developed parallel to it, burst via radio, microwave, EM emanations, laser, ELF, moon or planetary bounce, spread spectrum, ELF, hydro, olfactory, quanta, and the like. Presumably if these are possible they will remain classified, kept in research labs for advanced study, or shelved for future use. There is a spread spectrum radio tech where you broadcast on essentially all frequencies / wideband at once. To the eavesdropper it appears as simply a rise in unlocatable background noise levels. Yet there is a twist... you and your peer posess a crypto key. That key is used to select and form a broadcast/reception frequency map over the entire spectrum. You drive it with software radio. Think of the map as a vertically slotted grille mask over your spectrum analyzer. The grille spacing/width/overlap is random. What you see is your distributed signal hidden in the noise. Pass it down your stack for further processing and decoding. Even under the much-relaxed export laws of the US, deriving spreading information cryptographically is a prohibited export. Which isn't to say it is not a good idea. Greg. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Compromised Internet
Tony Arcieri basc...@gmail.com writes: What threat are you trying to prevent that isn't already solved by the use of cryptography alone? The threat of people saying we'll just throw some cryptography at it and then all our problems will be solved. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] forward-secrecy =2048-bit in legacy browser/servers? (Re: [Cryptography] RSA equivalent key length/strength)
Adam Back a...@cypherspace.org writes: Is there a possibility with RSA-RSA ciphersuite to have a certified RSA signing key, but that key is used to sign an RS key negotiation? Yes, but not in the way you want. This is what the 1990s-vintage RSA export ciphersuites did, but they were designed so you couldn't use them to provide strong security. I imagine that ciphersuite is widely disabled at this point. That'd be the other problem :-). Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The Compromised Internet
On 9/25/13, Greg Rose g...@seer-grog.net wrote: Even under the much-relaxed export laws of the US, deriving spreading information cryptographically is a prohibited export. Which isn't to say it is not a good idea. The US only applies to itself. Further, over the air, it's noise, the crypto is undetectable and unprovable. And it's (guerilla) software, not physical commercial product. Nor is this the old 'FCC says you can't encrypt ham bands' argument/tech. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Snowden walked away with the U.S. IC Intellipedia
A sends: Snowden walked away with the U.S. IC Intellipedia. http://en.wikipedia.org/wiki/Intellipedia Information on the validity of this claim invited: cryptome[at]earthlink.net ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography