Re: [Cryptography] Suite B after today's news

2013-09-10 Thread Ben Laurie
On 10 September 2013 11:29, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Ben Laurie b...@links.org writes: We need to get an extension number allocated, since the one it uses clashes with ALPN. It does? draft-ietf-tls-applayerprotoneg-01 doesn't mention ID 0x10 anywhere. (In any case

Re: [Cryptography] What TLS ciphersuites are still OK?

2013-09-10 Thread Ben Laurie
On 9 September 2013 22:49, Stephen Farrell stephen.farr...@cs.tcd.iewrote: Hi Ben, On 09/09/2013 05:29 PM, Ben Laurie wrote: Perry asked me to summarise the status of TLS a while back ... luckily I don't have to because someone else has:

Re: [Cryptography] Seed values for NIST curves

2013-09-10 Thread Joachim Strömbergson
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aloha! Tony Arcieri wrote: The question is... suitable for what? djb argues it could be used to find a particularly weak curve, depending on what your goals are: http://i.imgur.com/o6Y19uL.png So, the question is then - how do we fix this? I

Re: [Cryptography] Suite B after today's news

2013-09-10 Thread Peter Gutmann
Ben Laurie b...@links.org writes: We need to get an extension number allocated, since the one it uses clashes with ALPN. It does? draft-ietf-tls-applayerprotoneg-01 doesn't mention ID 0x10 anywhere. (In any case -encrypt-then-MAC got there first, these Johnny-come-lately's can find their own

Re: [Cryptography] What TLS ciphersuites are still OK?

2013-09-10 Thread Stephen Farrell
On 09/10/2013 02:01 PM, Ben Laurie wrote: Claiming that all the rest are no good also seems overblown, if that's what you meant. Other than minor variations on the above, all the other ciphersuites have problems - known attacks, unreviewed ciphers, etc. There are issues, sure. And way

Re: [Cryptography] What TLS ciphersuites are still OK?

2013-09-10 Thread Yaron Sheffer
Hi Hanno, Please send any comments on this draft to the TLS Working Group mailing list, t...@ietf.org. Thanks, Yaron On 09/10/2013 12:14 AM, Hanno Böck wrote: On Mon, 9 Sep 2013 17:29:24 +0100 Ben Laurie b...@links.org wrote: Perry asked me to summarise the status of TLS a while

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-10 Thread Andreas Davour
On Mon, Sep 09, 2013 at 06:41:23AM -0700, Andreas Davour wrote: So there *is* a BTNS implementation, after all. Albeit only for OpenBSD -- but this means FreeBSD is next, and Linux to follow. I might add that as far as I know, this work has not been picked up yet by neither

Re: [Cryptography] What TLS ciphersuites are still OK?

2013-09-10 Thread Tony Arcieri
On Mon, Sep 9, 2013 at 9:29 AM, Ben Laurie b...@links.org wrote: And the brief summary is: there's only one ciphersuite left that's good, and unfortunately its only available in TLS 1.2: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 A lot of people don't like GCM either ;) So we're screwed! Well,

Re: [Cryptography] Thoughts about keys

2013-09-10 Thread Guido Witmond
Hi Peter, We really have different designs. I'll comment inline. On 09/09/13 19:12, Peter Fairbrother wrote: On 09/09/13 13:08, Guido Witmond wrote: I like to look at it the other way round, retrieving the correct name for a key. You don't give someone your name, you give them an 80-bit

Re: [Cryptography] What TLS ciphersuites are still OK?

2013-09-10 Thread Ben Laurie
On 10 September 2013 03:59, james hughes hugh...@mac.com wrote: On Sep 9, 2013, at 2:49 PM, Stephen Farrell stephen.farr...@cs.tcd.ie wrote: On 09/09/2013 05:29 PM, Ben Laurie wrote: Perry asked me to summarise the status of TLS a while back ... luckily I don't have to because someone

Re: [Cryptography] Random number generation influenced, HW RNG

2013-09-10 Thread ianG
On 10/09/13 06:29 AM, John Kelsey wrote: But I am not sure how much it helps against tampered chips. If I can tamper with the noise source in hardware to make it predictable, it seems like I should also be able to make it simulate the expected behavior. I expect this is more complicated

[Cryptography] Squaring Zooko's triangle

2013-09-10 Thread James A. Donald
On 2013-09-10 3:12 AM, Peter Fairbrother wrote: I like to look at it the other way round, retrieving the correct name for a key. You don't give someone your name, you give them an 80-bit key fingerprint. It looks something like m-NN4H-JS7Y-OTRH-GIRN. The m- is common to all, it just says

Re: [Cryptography] Techniques for malevolent crypto hardware

2013-09-10 Thread Jerry Leichter
On Sep 9, 2013, at 9:17 AM, Kent Borg wrote: Which brings into the light the question: Just *why* have so many random number generators proved to be so weak. Your three cases left off an important one: Not bothering to seed the PRNG at all. I think the Java/Android cryptographic (!)

Re: [Cryptography] The One True Cipher Suite

2013-09-10 Thread Jerry Leichter
On Sep 9, 2013, at 12:00 PM, Phillip Hallam-Baker wrote: Steve Bellovin has made the same argument and I agree with it. Proliferation of cipher suites is not helpful. The point I make is that adding a strong cipher does not make you more secure. Only removing the option of using weak

[Cryptography] Fw: how could ECC params be subverted other evidence

2013-09-10 Thread Perry E. Metzger
Forwarding because Adam apparently has distinct envelope and From: addresses and didn't notice the bounce. Note that anyone replying and attributing this message to *me* will be laughed at mercilessly as their message is rejected. Perry Begin forwarded message: Date: Tue, 10 Sep 2013 13:42:57

[Cryptography] Reports: NSA, GCHQ used forged certs to impersonate Google

2013-09-10 Thread Perry E. Metzger
The story has been floating around for some days now. Apparently, Man in the Middle attacks have been used quite extensively, including against the Brazilian state oil company, and a major international wire transfer network.

Re: [Cryptography] Techniques for malevolent crypto hardware

2013-09-10 Thread Perry E. Metzger
On Sun, 8 Sep 2013 15:22:32 -0400 Perry E. Metzger pe...@piermont.com wrote: Ah, now *this* is potentially interesting. Imagine if you have a crypto accelerator that generates its IVs by encrypting information about keys in use using a key an observer might have or could guess from a small

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-10 Thread Joe Abley
On 2013-09-09, at 12:04, Salz, Rich rs...@akamai.com wrote: ➢ then maybe it's not such a silly accusation to think that root CAs are routinely distributed to multinational secret ➢ services to perform MITM session decryption on any form of communication that derives its security from the

[Cryptography] EFF press release on latest FISA opinions release

2013-09-10 Thread Perry E. Metzger
The documents haven't yet been completely processed, but they've already found some interesting features. Quoting: The NSA apparently believed that it had the authority to search the telephone records database in order to obtain the 'reasonable articulable suspicion' required to

Re: [Cryptography] What TLS ciphersuites are still OK?

2013-09-10 Thread Peter Fairbrother
On 10/09/13 14:03, Ben Laurie wrote: On 10 September 2013 03:59, james hughes hugh...@mac.com mailto:hugh...@mac.com wrote: [...] TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 I retract my previous +1 for this ciphersuite. This is hard coded 1024 DHE and 1024bit RSA. It is not hard coded

Re: [Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of cooperative end-points, PFS doesn't help)

2013-09-10 Thread Jerry Leichter
On Sep 10, 2013, at 5:49 PM, Perry E. Metzger pe...@piermont.com wrote: Phil Rogoway has a paper somewhere discussing the right way to implement cryptographic modes and API's. It would be useful to get a URL for it. In particular, he recommends changing the definition of CBC...to E_0 =

Re: [Cryptography] What TLS ciphersuites are still OK?

2013-09-10 Thread james hughes
On Sep 9, 2013, at 9:10 PM, Tony Arcieri basc...@gmail.com wrote: On Mon, Sep 9, 2013 at 9:29 AM, Ben Laurie b...@links.org wrote: And the brief summary is: there's only one ciphersuite left that's good, and unfortunately its only available in TLS 1.2: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Re: [Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of cooperative end-points, PFS doesn't help)

2013-09-10 Thread Jerry Leichter
On Sep 10, 2013, at 12:43 PM, Nemo n...@self-evident.org wrote: GET / HTTP/1.1\r\n is exactly 16 bytes, or one AES block. If the IV is sent in the clear -- which it is -- that is one plaintext-ciphertext pair right there for every HTTPS connection. Phil Rogoway has a paper somewhere discussing

Re: [Cryptography] Thoughts on hardware randomness sources

2013-09-10 Thread Sandy Harris
On Tue, Sep 10, 2013 at 10:59 AM, Marcus D. Leech mle...@ripnet.com wrote: I wonder what people's opinions are on things like the randomsound daemon that is available for Linux. I have not looked at that. A well thought out well documented RNG based on a sound card is:

Re: [Cryptography] Squaring Zooko's triangle

2013-09-10 Thread Peter Fairbrother
On 10/09/13 05:38, James A. Donald wrote: On 2013-09-10 3:12 AM, Peter Fairbrother wrote: I like to look at it the other way round, retrieving the correct name for a key. You don't give someone your name, you give them an 80-bit key fingerprint. It looks something like m-NN4H-JS7Y-OTRH-GIRN.

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-10 Thread Perry E. Metzger
On Tue, 10 Sep 2013 17:04:51 -0400 Joe Abley jab...@hopcount.ca wrote: On 2013-09-09, at 12:04, Salz, Rich rs...@akamai.com wrote: then maybe it's not such a silly accusation to think that root CAs are routinely distributed to multinational secret services to perform MITM session

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-10 Thread Ben Laurie
On 10 September 2013 22:04, Joe Abley jab...@hopcount.ca wrote: Suppose Mallory has access to the private keys of CAs which are in the browser list or otherwise widely-trusted. An on-path attack between Alice and Bob would allow Mallory to terminate Alice's TLS connection, presenting an

Re: [Cryptography] Seed values for NIST curves

2013-09-10 Thread Tony Arcieri
On Tue, Sep 10, 2013 at 3:36 AM, Joachim Strömbergson joac...@strombergson.com wrote: 1. We as a community create a list of curves that we agree on are good. The list is placed in a document, for example an RFC that clearly states what criteria has been used, what the sources for the curves

[Cryptography] soft chewy center

2013-09-10 Thread bmanning
much of the discussion these past few weeks seems to be centered on channel and container protection, secure paths, encrypted file systems, etc. much effort has gone into ensureing opaque environments for data to flow. and while interesting and perhaps useful, not a whole lot of effort

Re: [Cryptography] Thoughts on hardware randomness sources

2013-09-10 Thread Marcus D. Leech
On 09/10/2013 12:04 PM, Rob Kendrick wrote: I wonder what people's opinions are on things like the randomsound daemon that is available for Linux. Daniel Silverstone, the author, specifically advises people to not use it. :) I haven't actually looked at the code. Conceptually, anything with an

Re: [Cryptography] Thoughts on hardware randomness sources

2013-09-10 Thread Rob Kendrick
On Tue, Sep 10, 2013 at 10:59:37AM -0400, Marcus D. Leech wrote: I wonder what people's opinions are on things like the randomsound daemon that is available for Linux. Daniel Silverstone, the author, specifically advises people to not use it. :) B.

[Cryptography] Thoughts on hardware randomness sources

2013-09-10 Thread Marcus D. Leech
I wonder what people's opinions are on things like the randomsound daemon that is available for Linux. Similarly, any hardware with an ADC input can be used as a hardware random noise source, simply by cranking up the gain to suitable levels where the low-order bit is sampling thermal

Re: [Cryptography] Fw: how could ECC params be subverted other evidence

2013-09-10 Thread Perry E. Metzger
On Tue, 10 Sep 2013 16:45:23 -0400 John Kelsey crypto@gmail.com wrote: [DBRG] seemed like a really weird place to put a backdoor, because it was insanely slow, and it seemed unlikely to get any significant use. As an aside, this is just the instance we know about, partially because they

Re: [Cryptography] Thoughts about keys

2013-09-10 Thread Guido Witmond
On 09/10/13 19:08, Peter Fairbrother wrote: The only assurance given by the scheme is that if a person gave you a hash which he generated himself, and you match it with a string and that string matches what you know about the person (eg their name or photo), then no-one else can have MTM'd it.

Re: [Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of cooperative end-points, PFS doesn't help)

2013-09-10 Thread Perry E. Metzger
On Tue, 10 Sep 2013 17:04:04 -0400 Jerry Leichter leich...@lrw.com wrote: Phil Rogoway has a paper somewhere discussing the right way to implement cryptographic modes and API's. It would be useful to get a URL for it. In particular, he recommends changing the definition of CBC from: E_0 =

[Cryptography] Time for djb's Edwards curves in TLS?

2013-09-10 Thread Viktor Dukhovni
Is there a TLS WG draft adding djb's Curve1174 to the list of named curves supported by TLS? If there's credible doubt about the safety of the NIST curves, it seems that Curve1174 (in Edwards form) would make a good choice for EECDH, perhaps coupled with a similar curve with ~512 bits. Slides

Re: [Cryptography] Usage models (was Re: In the face of cooperative end-points, PFS doesn't help)

2013-09-10 Thread Walter van Holst
On 08/09/2013 21:51, Perry E. Metzger wrote: On Sun, 8 Sep 2013 14:50:07 -0400 Jerry Leichter leich...@lrw.com wrote: Even for one-to-one discussions, these days, people want transparent movement across their hardware. If I'm in a chat session on my laptop and leave the house, I'd like to be

Re: [Cryptography] Thoughts about keys

2013-09-10 Thread Peter Fairbrother
On 10/09/13 10:00, Guido Witmond wrote: Hi Peter, We really have different designs. I'll comment inline. On 09/09/13 19:12, Peter Fairbrother wrote: On 09/09/13 13:08, Guido Witmond wrote: I like to look at it the other way round, retrieving the correct name for a key. You don't give

Re: [Cryptography] [TLS] New Version Notification for draft-sheffer-tls-bcp-00.txt

2013-09-10 Thread james hughes
On Sep 9, 2013, at 7:30 PM, Michael Ströder michael at stroeder.com wrote: Peter Gutmann wrote: Do you have numbers about the relative and absolute performance impact? Personally I don't see performance problems but I can't prove my position with numbers. MBA-2:tmp synp$ openssl

Re: [Cryptography] People should turn on PFS in TLS

2013-09-10 Thread zooko
On Fri, Sep 06, 2013 at 06:18:05PM +0100, Ben Laurie wrote: On 6 September 2013 18:13, Perry E. Metzger pe...@piermont.com wrote: It would be good to see them abandon RC4 of course, and soon. In favour of what, exactly? We're out of good ciphersuites. Please ask your friendly

Re: [Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of cooperative end-points, PFS doesn't help)

2013-09-10 Thread ianG
On 11/09/13 01:36 AM, Jerry Leichter wrote: (Generating a different one for this purpose is pointless - it would have to be random, in which case you might as well generate the IV randomly.) In a protocol I wrote with Zooko's help, we generate a random IV0 which is shared in the key

Re: [Cryptography] Evaluating draft-agl-tls-chacha20poly1305

2013-09-10 Thread William Allen Simpson
It bugs me that so many of the input words are mostly zero. Using the TLS Sequence Number for the nonce is certainly going to be mostly zero bits. And the block counter is almost all zero bits, as you note, (In the case of the TLS, limits on the plaintext size mean that the first counter