On 7/02/13 23:56 PM, Thierry Moreau wrote:
ianG wrote:
[Hushmail design] isn't
perfect but it was a whole lot better than futzing around with OpenPGP
keys and manual decrypting. And it was the latter 'risk' view that
won, Hushmail filled that niche between the hard core pgp community
the chances that
they live to report the next one.
Risks, not absolutes.
iang
[0] I saw we - my company had a hand in the original crypto back when
Hushmail was Cliff+1. FWIW.
___
cryptography mailing list
cryptography@randombit.net
http
bipolar, there is such a gulf between the
bureaucracy of the Oracle and the anarchy of DIY that neither side
recognises the other.
iang
[0] I kid not - Sun JCE deliberately obfuscates itself to slow down
replacement, and deliberately throws an obfuscated exception when the
permission isn't
encryption, at
least in SunJCE. (I've not checked what Bouncy Castle has to offer.)
In looking at BC's lightweight (non-JCE) library, I see OAEP, PKCS1,
ISO9796d1 and two versions for blinding (thanks Adam for that
description of why we want to use blinding, it had me confused...).
iang
because you have to work with one message worth of
data, and all you get is .. one message worth of plaintext.
But it's a nice puzzle.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
want to try and decode/break it once I have a demonstrator?
Typically nobody cares about helping others, they are too busy on their
own code. The only way you can get some interest is if your system is
famous and used by a lot of people.
iang
On 27/01/13 04:53 AM, Peter Gutmann wrote:
ianG i...@iang.org writes:
Could OAEP be considered reasonable for signatures?
You need to define appropriate. For example if you mean interoperable
then OAEP isn't even appropriate for encryption, let alone signatures.
Oh, interoperable
a feature, but not yours.
iang
[0] I recently alluded to a contract between the vendors and the CAs,
and that is another view on the same question. Unfortunately the
contracts are obfuscated and not necessarily written down. For example,
there is no one single document between Mozilla and its
be in sight of a great simplification in symmetric crypto
- one algorithm to handle all the modes and needs.
Is this a theory position or has it reached practicality? Have there
been any posted descriptions in how to use the core Keccak in these
different ways?
iang
Is anyone familiar with where the name Keccak comes from?
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
away from the phone, to cloud, or a variant, and then we're back to the
same old remote password problem.
iang
--dan
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
On 13/01/13 22:47 PM, Jeffrey Walton wrote:
On Sun, Jan 13, 2013 at 1:20 PM, Warren Kumari war...@kumari.net wrote:
On Jan 12, 2013, at 4:27 AM, ianG i...@iang.org wrote:
On 11/01/13 02:59 AM, Jon Callas wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
...
The Amazon FAQ for Silk did
see those reasons?
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
this
because it is the user, and the incentives are now apparent. It is also
the vendor so the capabilities are present.
Outside google, all there is really is talk.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net
On 7/01/13 14:15 PM, Jeffrey Walton wrote:
Hi Ian,
Off list.
I suspect not. No matter.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
On 7/01/13 15:31 PM, Jeffrey Walton wrote:
On Mon, Jan 7, 2013 at 3:15 AM, ianG i...@iang.org wrote:
...
Yeah. Little known fact is that Mozilla maintains confidential discussions
with the CAs. The open group is basically theater, it has been totally
owned by the CAs for many years
theater with:
10 days of public comment?
Right?
For the record: when was that document first worked on in CABForum?
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
There are two long-term trends that might inform this argument.
1. Vendors have typically refused to improve the model of browser
security if it has involved changes to the model. There is a long
history of people providing suggestions, papers and code, and the
vendors have ignored them.
?
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
the rules
that keep us in business.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
- is there actually a
list?
Ralph
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
ideas and tried them out. And then tried to cover up.
But whatever. The short story I see so far is that the CA made a
mistake. Rectified it once, not twice. Got caught out. Boom.
iang
[0] So I could update my Risk History:
http://wiki.cacert.org/Risk/History#h2012.5
On 5/01/13 21
to last a lot longer. These are
typically used between HQs. I'd expect these distinctions to disappear
somewhat with net-centric warfare tho :)
iang
PS: if you aren't convinced that Tigerspike is total marketing nonsense,
try and debug that last para
On 16/12/12 11:47 AM, Adam Back wrote:
(note the tidy email editing, Ben, and other blind top posters to massive
email threads :)
See inlne.
On Sun, Dec 16, 2012 at 10:52:37AM +0300, ianG wrote:
[...] we want to prove that a certificate found in an MITM was in the
chain
or not.
But (4) we
.
Their security logic mistake is to assume that the self-signed
signature is to be compared with something signed by an 'authority',
rather than an unsigned competitor.
It is one of those enduring flaws that indicate that security isn't the
objective with such systems.
iang
On 14/12/12 18:51 PM, Eugen
a
certificate that is apparently signed by say VeriSign root and was found
in an MITM, we can simply publish it with the facts. Verisign are then
encouraged to disclose (a) it was ours, (b) it wasn't ours, or (c)
ummm...
iang
[1] Byzantinely again, a CA has to avoid privacy to some
On 4/11/12 10:17 AM, Jeffrey Walton wrote:
On Sat, Nov 3, 2012 at 6:25 PM, ianG i...@iang.org wrote:
On 1/11/12 10:55 AM, Peter Gutmann wrote:
Jeffrey Walton noloa...@gmail.com writes:
Is anyone aware of of application layer encryption protocols with session
management tuned for use
, 2010 All Rights Reserved
==
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
packet delivery, the rest of the
'layers' don't need to worry about conventional session management and
authentication; which leads to the agility required in OP's use case -
taking packets in from multiple IP#s and carrying on, knowing they came
from the same secret key.
iang
[1] Nod
, or per reasonable reseed interval (not less than one
minute), that should be taken as a sign that its cryptography
is not skilfully implemented.
I don't believe the Linux pages are skilfully written :)
iang
___
cryptography mailing list
the crypto industry is that there are so
many great failures to learn from.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
it means, we may be
finding out now as various systems set at 512-1024 display their age.
iang
http://craphound.com/spamsolutions.txt
Having said that, if anyone at one of the DKIM-using organisations would like
to contact me off-list to provide their point of view as to why toy keys were
Hi Thierry,
On 14/10/12 01:21 AM, Thierry Moreau wrote:
ianG wrote:
On 10/10/12 23:44 PM, Guido Witmond wrote:
2. Use SSL client certificates instead;
Yes, it works. My observations/evidence suggests it works far better
than passwords because it cuts out the disaster known as I lost my
, they just get on and install the certs...
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
measurands. How do we do this?
Are we waiting on NIST to come out with some lengths, or are we really
requiring our cryptoplumbers to actually understand the innards of
KECCAK and wind the dials themselves?
iang
//landon
- Original Message
Subject: NIST Selects Winner
was a byword for trust. Fast forward to
now ... CRI is only 15 years old. Add a decade and will it still see
the same interests?
I'm sure it won't. The big question is not whether but when...
iang
___
cryptography mailing list
cryptography@randombit.net
to be
as perfect as the block encryption algorithm. Unfortunately, that's
not possible. We need to manage our expectations.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
.
Temptation is the normal response for users coping with bad design choices.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
Thanks for that, that is all that is needed to get the idea. (I was
hoping for some objective standard rather than a current-technology
taxonomy.)
iang
On 2/06/12 23:15 PM, Joe St Sauver wrote:
ianG asked:
#Would it be possible to describe in general words what LOA-1 thru 4 entails?
I
it be possible to describe in general words what LOA-1 thru 4 entails?
iang
On 31/05/12 04:25 AM, Joe St Sauver wrote:
Peter commented:
#That users know passwords and they work is a large part of the problem
#with passwords: the same low entropy security token is used for multiple
#systems with varying
. Worrisome, or good opportunities for dispute resolution
providers, depending on your perspective.
Dragging this back to crypto - there are good cryptographic aids for
value systems. There isn't much crypto can do for exchanges.
iang
___
cryptography
that I can. Security problems? Surely, and I'm waiting to be
hit by them...
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
passwords, once you get the
cert into the user's browser.
iang
[0] Funnily enough, over on Mozilla I just recommended against doing this.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
? That's much more interesting.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
, to the extent above. My db has a table for all certs, and a table
for all users, with a join by cert identifiers between the two tables.
Thanks in advance.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman
not ruling it out, it's just that we seem to have a
strange confluence of contrary objectives :)
iang
On 11/04/12 00:12 AM, Von Welch wrote:
Ian,
I've led or been involved with several projects in academia that have used
HSMs as a basis for a CA. I can't say I've done a cost analysis
, documentation,
testing recovery paths, training, maintenance contracts, upgrades, etc.
In comparison to the null project, not using them (e.g., using straight
servers in locked racks etc).
tia,
iang
___
cryptography mailing list
cryptography@randombit.net
.)
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
that the audience is politicians tends to increase with
the size of the meeting.
Even a committee of 2 requires delicate political skills... :) Beyond
2, calling it political is perhaps being overly polite with the truth.
iang
___
cryptography mailing list
that the SHA3 comp was unneeded. But it wasn't the
same level of necessity that AES had.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
hopping...
iang
[0] Dan Geer's delta argument.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
to crypto...
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
people to use crypto, all
is not yet lost!
Yeah. New applications is the opportunity. We saw this in Skype, when
a new field was not subject to the old domination. We didn't so much
see it with social networks, but there is something of it in there.
iang
[0] fixing s/mime to work
?
Debian optimisation of input to TLS code?
Possibly XOR related adventures, or RNGs.
Sound like a good enquiry for an article.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
, and personally suspected the communications
channels were leaking his secrets, so all the orders were sent by
motor-cycle couriers. E.g., Hitler was right. His generals were wrong.
(This seemed to happen often enough to keep Hitler in power...)
iang
talking up the
concept blasted it as merely a way to mock (using that very word) the concept.
And therein lies another story! Which always seems to end: and then we
lost the crypto wars. I treat it as a great learning experience.
iang
by yours truly indicate that a
100,000-node botnet would not contribute even 10% of the hash rate
seen in the dip.
Good observations and calculations. So, let's say you wanted a botnet
to do mining. What could you do to improve that?
iang
On 19/03/12 12:31 PM, ianG wrote:
... So after a lot of colour, it is not clear if they can break AES.
Yet. OK. But that is their plan. And they think they can do it, within
their foreseeable future.
So, step into NSA's shoes. If there is a timeline here we (NSA) worked
out we can break
, that's a significant factoid - the goal is in sight.
It's also interesting that they are justifying the goal to hoover
everything up as needed for future cryptanalysis material for when they
can break the codes.
iang
___
cryptography mailing list
. Do the job at the lower layer, and re-do
the job at the higher layer. Resiliance from failures.
Nothing to do with crypto, gets you zero marks in class. But as an
software or systems engineer, it's obvious, a no-brainer.
iang
[1] there is one way I've come across to combine two strong
use it, to name a few. And
they did so more or less naturally following good design processes. A
particularly indicative data point is SSH which offered both client-side
keys and passwords, and the latter sort of fell by the wayside.
iang
On 25/02/12 18:50 PM, Jon Callas wrote:
...We're not *stupid*.
Once upon a time ...ok skip the annoying anecdote and get to the question:
What would be the smallest steganography program that someone could type
in and use to hide ones secret archive in plain site?
iang
...a long long
is not only theoretical:
https://bitcointalk.org/index.php?topic=16457.0
http://ulf-m.blogspot.com.au/
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
some study.
Not everyone agrees...
iang
PS: if I wrote it again I'd drop the 7. I'm 3 times over the current
journalistic trend of 5 things you must know in order to achieve
happiness in all things.
___
cryptography mailing list
cryptography
to use it and
from where and how to obtain it.
Yes, crypto seems to be in layers. Block algorithms. Modes, and
implications. The rest. The game is to push more of it back down to
algorithms.
iang
___
cryptography mailing list
cryptography
thinking over to entropy source plus
deterministic mixer is quite inspired. Point being, they solved half
the problem; they'll be open to the other half?
iang
On 23/02/12 08:55 AM, Marsh Ray wrote:
On 02/22/2012 09:32 AM, Thierry Moreau wrote:
While commenting about
Hi James,
On 23/02/12 11:16 AM, James A. Donald wrote:
On 2012-02-23 9:07 AM, ianG wrote:
Um. I feel exactly the reverse. I feel uncomfortable with crypto code
written in languages that guarantee buffer overflows, stack busting
attacks, loose semantics at data and calling levels, a 5 x
developer
penalty, and an obsession about the metal not the customer.
Could be worse I suppose. Some days it seems that Javascript crypto is
inevitable.
Even I haven't gone that far :) I should tho.
iang
___
cryptography mailing list
cryptography
the balance right.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
on the part of some security people and all
the media to accept that some designers have accepted a risk rather than
stomp it dead.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
, or
that the NSA changed them...
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
edge cases. One
way is to cram them all into the IV as one lump:
random||counter||time
With most algorithms these days, you've got 16 bytes in the first block.
Thanks,
-kevin
iang
___
cryptography mailing list
cryptography@randombit.net
http
the NIST concept of fully deterministic, fully testable, and it is up to
the User to provide the entire seed.
If the User chooses to hook her RNG output up to her PRNG input, then
that works too, but she's then in charge of both variables.
iang
in Mozilla.
iang
Ralph
On 02/14/2012 03:31 AM, ianG wrote:
Hi all,
Kathleen at Mozilla has reported that she is having trouble dealing with
Trustwave question because she doesn't know how many other CAs have
issued sub-roots that do MITMs.
Zero, one, a few or many?
I've sent a private email
of
the owner. Or any information really...
Obviously we all want to know who and how many ... but right now is not
the time to repeat demands for full disclosure. Right now, vendors need
to decide whether they are dropping CAs or not.
iang
it, the jaws of trust
just snapped shut:
http://financialcryptography.com/mt/archives/001359.html
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
to Google itself, which already has much more detailed
information about its users.
With a dubious motive and no clear advantage over the existing
infrastructure, I'm underwhelmed.
iang
___
cryptography mailing list
cryptography@randombit.net
http
to make the
call.
iang
I think we should probably bring this to an end. I think I've said all
I can. You can have the last word, but my central point is: Let's
judge QKD protocols on a case-by-case basis, and not rule out the
whole field until such time as it is obvious that no QKD protocol can
the case that the market for security is not a real
market in the sense of good information symmetrically held by all.
Instead it is a market in silver bullets (google). This is just another
silver bullet.
iang
___
cryptography mailing list
cryptography
they never faced a threat are now likely
going face the music.
It's a bit like economics and finance. Predictions before the fact were
washed out in the general noise of buy, buy, buy... And predictions
after the fact aren't so satisfying :)
iang
should be fine for that, and if that's not
good, just up the generation to SHA2.
my 2 bits of entropy...
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
already sent
the money to another jurisdiction...)
The thing is, just because a security mechanism doesn't seem to
translate to technological space doesn't mean it doesn't have legs.
iang
___
cryptography mailing list
cryptography@randombit.net
http
be hard, because the original threat model has
been replaced with a belief model.
0. Crypto Stick
http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/
Nice!
iang
___
cryptography mailing list
cryptography@randombit.net
http
enjoyed a resurgence with skimming attacks on payment systems, with
attackers either being present or mounting cameras above the keypad to
catch the finger presses.
iang, hny, fwiw, typing fast...
___
cryptography mailing list
cryptography
, and that's before we get to non-repudiation which
clashes with law principles at its most foundational.. and if it
ever happened would lead to mass rioting and plastique bonfires and
rounding up of whoever was responsible.)
Have a merry XMas !
iang
, the CRL/OCSP certs for a root can only be revoked at software
level.
--dan, quite possibly in a rat hole
iang, we're all in rat holes together
[0] Unlike PGP where self can revoke self; there are no layers.
___
cryptography mailing list
it's just caused the outsourcing of the hacking business
to places east of Europe, and the increase in profits potential.
Oh well. I suppose the market cap for facebook and google justifies it.
iang
___
cryptography mailing list
cryptography
is.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
am mollified. Others remain less so.) So I'd rewrite
the above last part to say, and your CA gets dropped from the root list
of major vendors.
What is the earliest sighting of a DPI-inspired MITM cert?
iang
PS; we need a better name than DPI MITM. For some reason I'm thinking
of WITM
that is a reliable presumption any more. There have been
numerous court cases that have trashed the simple corporate assets
presumption.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
the case :-)
Which is the point of security by NDA :)
Whoever said security by obscurity doesn't work? Must have been on
something.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
of the
hash-over-one-secret thing.
I'm assuming you don't care, coz of md5(secret). If you do care more,
the answer is probably to use a better construct, HMAC or
challenge/response of some form. E.g., better algorithm and leave the
side channel stuff until later.
iang
.
Unknown whether it stores certs that you reject.
iang, now about that drink...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
to cover all certs from all CAs, and test on the certificates
not the serial numbers?
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
the borders lie.
To be fair to Steve, although we've been bandying the term toy crypto
and cousins around for a while, we haven't really defined it. It's a
bit like american pornography, we know it when we see it.
iang
___
cryptography mailing list
and frailties of PKI.
Yeah.
If you are doing research to document the state of real breaches, that
would be valuable info.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
hidden services) when server impersonation
occurrs.
As far as I can see, this is a third party repository for the keys.
Which claims to reliabily deliver the keys on request?
Is that it?
iang
___
cryptography mailing list
cryptography@randombit.net
http
that can
be correlated to its claimed purpose. C.f. Dan Geer's comment.
http://financialcryptography.com/mt/archives/001255.html
To live in interesting times!
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net
factor.
Is there any particular reason why PCI(e) is preferred as a hardware
interface?
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
Another meta question: I seem to have missed the news that RSA has
stopped their factoring challenge in 2007!
http://en.wikipedia.org/wiki/RSA_Factoring_Challenge
Has anything replaced it? This is a great loss, what on earth where RSA
thinking?
iang
201 - 300 of 314 matches
Mail list logo