Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread John Kelsey
I don't see what problem would actually be solved by dropping public key crypto in favor of symmetric only designs. I mean, if the problem is that all public key systems are broken, then yeah, we will have to do something else. But if the problem is bad key generation or bad implementations,

Re: [Cryptography] FIPS, NIST and ITAR questions

2013-09-06 Thread John Kelsey
Sent from my iPad On Sep 3, 2013, at 6:06 PM, Jerry Leichter leich...@lrw.com wrote: On Sep 3, 2013, at 3:16 PM, Faré fah...@gmail.com wrote: Can't you trivially transform a hash into a PRNG, a PRNG into a cypher, and vice versa? No. hash-PRNG: append blocks that are digest (seed ++

Re: [Cryptography] FIPS, NIST and ITAR questions

2013-09-06 Thread John Kelsey
... Let H(X) = SHA-512(X) || SHA-512(X) where '||' is concatenation. Assuming SHA-512 is a cryptographically secure hash H trivially is as well. (Nothing in the definition of a cryptographic hash function says anything about minimality.) But H(X) is clearly not useful for producing a

Re: [Cryptography] Can you backdoor a symmetric cipher

2013-09-06 Thread Perry E. Metzger
On Thu, 5 Sep 2013 21:42:29 -0700 Jon Callas j...@callas.org wrote: On Sep 5, 2013, at 9:33 PM, Perry E. Metzger pe...@piermont.com wrote: It is probably very difficult, possibly impossible in practice, to backdoor a symmetric cipher. For evidence, I direct you to this old paper by

[Cryptography] Aside on random numbers (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-06 Thread Perry E. Metzger
On Fri, 6 Sep 2013 01:04:31 -0400 John Kelsey crypto@gmail.com wrote: I'm starting to think that I'd probably rather type in the results of a few dozen die rolls every month in to my critical servers and let AES or something similar in counter mode do the rest. A d20 has a bit

[Cryptography] Sabotaged hardware (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-06 Thread Perry E. Metzger
On Thu, 5 Sep 2013 22:31:50 -0400 Jerry Leichter leich...@lrw.com wrote: For example, at http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?ref=uspagewanted=all, the following goal appears for FY 2013 appears: Complete enabling for

[Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-06 Thread Perry E. Metzger
One solution, preventing passive attacks, is for major browsers and websites to switch to using PFS ciphersuites (i.e. those based on ephemeral Diffie-Hellmann key exchange). It occurred to me yesterday that this seems like something all major service providers should be doing. I'm sure

Re: [Cryptography] Is ECC suspicious?

2013-09-06 Thread Dirk-Willem van Gulik
Op 6 sep. 2013, om 01:09 heeft Perry E. Metzger pe...@piermont.com het volgende geschreven: http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance …. The Suite B curves were picked some time ago. Maybe they have problems. …. Now, this certainly was a problem for

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Eugen Leitl
On Thu, Sep 05, 2013 at 04:11:57PM -0400, Phillip Hallam-Baker wrote: If a person at Snowden's level in the NSA had any access to information Snowden didn't have clearance for that information. He's being described as 'brilliant' and purportedly was able to access documents far beyond his

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-06 Thread Peter Saint-Andre
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/6/13 8:36 AM, Perry E. Metzger wrote: One solution, preventing passive attacks, is for major browsers and websites to switch to using PFS ciphersuites (i.e. those based on ephemeral Diffie-Hellmann key exchange). It occurred to me yesterday

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Benjamin Kreuter
On Fri, 6 Sep 2013 01:19:10 -0400 John Kelsey crypto@gmail.com wrote: I don't see what problem would actually be solved by dropping public key crypto in favor of symmetric only designs. I mean, if the problem is that all public key systems are broken, then yeah, we will have to do

Re: [Cryptography] Suite B after today's news

2013-09-06 Thread Ralph Holz
Hi, Same here. AES is, as far as we know, pretty secure, so any problems are going to arise in how AES is used. AES-CBC wrapped in HMAC is about as solid as you can get. AES-GCM is a design or coding accident waiting to happen. But for right now, what options do we have that are actually

Re: [Cryptography] Aside on random numbers (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-06 Thread Bill Squier
On Sep 6, 2013, at 10:03 AM, Perry E. Metzger pe...@piermont.com wrote: Naively, one could take a picture of the dice and OCR it. However, one doesn't actually need to OCR the dice -- simply hashing the pixels from the image will have at least as much entropy if the position of the dice is

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Kristian Gjøsteen
5. sep. 2013 kl. 23:14 skrev Tim Dierks t...@dierks.org: I believe it is Dual_EC_DRBG. The ProPublica story says: Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread Perry E. Metzger
On Fri, 6 Sep 2013 18:18:05 +0100 Ben Laurie b...@links.org wrote: On 6 September 2013 18:13, Perry E. Metzger pe...@piermont.com wrote: Google is also now (I believe) using PFS on their connections, and they handle more traffic than anyone. A connection I just made to

Re: [Cryptography] Can you backdoor a symmetric cipher (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-06 Thread Jerry Leichter
It is probably very difficult, possibly impossible in practice, to backdoor a symmetric cipher. For evidence, I direct you to this old paper by Blaze, Feigenbaum and Leighton: http://www.crypto.com/papers/mkcs.pdf There is also a theorem somewhere (I am forgetting where) that says

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Jerry Leichter
Perhaps it's time to move away from public-key entirely! We have a classic paper - Needham and Schroeder, maybe? - showing that private key can do anything public key can; it's just more complicated and less efficient. Not really. The Needham-Schroeder you're thinking of is the essence of

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Jerry Leichter
On Sep 6, 2013, at 7:28 AM, Jerry Leichter wrote: ...Much of what you say later in the message is that the way we are using symmetric-key systems (CA's and such)... Argh! And this is why I dislike using symmetric and asymmetric to describe cryptosystems: In English, the distinction is way

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Tim Dierks
On Fri, Sep 6, 2013 at 3:03 AM, Kristian Gjøsteen kristian.gjost...@math.ntnu.no wrote: Has anyone, anywhere ever seen someone use Dual-EC-DRBG? I mean, who on earth would be daft enough to use the slowest possible DRBG? If this is the best NSA can do, they are over-hyped. It's

Re: [Cryptography] IA side subverted by SIGINT side

2013-09-06 Thread John Gilmore
I have a small amount of raised eyebrow because the greatest bulwark we have against the SIGINT capabilities of any intelligence agency are that agency's IA cousins. I don't think that the Suite B curves would have been intentionally weak. That would be a shock. Then be shocked, shocked that

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread Ralph Holz
Hi, It would be good to see them abandon RC4 of course, and soon. In favour of what, exactly? We're out of good ciphersuites. I thought AES was okay for TLS 1.2? Isn't the issue simply that Firefox etc. still use TLS 1.0? Note that this was a TLS 1.2 connection. Firefox has added TLS 1.2

Re: [Cryptography] Aside on random numbers (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-06 Thread Jerry Leichter
On Sep 6, 2013, at 10:03 AM, Perry E. Metzger wrote: Naively, one could take a picture of the dice and OCR it. However, one doesn't actually need to OCR the dice -- simply hashing the pixels from the image will have at least as much entropy if the position of the dice is recognizable from

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-06 Thread Raphaël Jacquot
On 06.09.2013 18:20, Peter Saint-Andre wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/6/13 8:36 AM, Perry E. Metzger wrote: One solution, preventing passive attacks, is for major browsers and websites to switch to using PFS ciphersuites (i.e. those based on ephemeral Diffie-Hellmann

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-06 Thread Daniel Veditz
On 9/6/2013 9:52 AM, Raphaël Jacquot wrote: To meet today’s PCI DSS crypto standards DHE is not required. PCI is about credit card fraud. Mastercard/Visa aren't worried that criminals are storing all your internet purchase transactions with the hope they can crack it later; if the FBI/NSA want

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread ianG
On 6/09/13 04:50 AM, Peter Gutmann wrote: Perry E. Metzger pe...@piermont.com writes: At the very least, anyone whining at a standards meeting from now on that they don't want to implement a security fix because it isn't important to the user experience or adds minuscule delays to an initial

Re: [Cryptography] Sabotaged hardware (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-06 Thread Jerry Leichter
On Sep 6, 2013, at 11:37 AM, John Ioannidis wrote: I'm a lot more worried about FDE (full disk encryption) features on modern disk drives, for all the obvious reasons. If you're talking about the FDE features built into disk drives - I don't know anyone who seriously trusts it. Every secure

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread Ben Laurie
On 6 September 2013 18:24, Perry E. Metzger pe...@piermont.com wrote: On Fri, 6 Sep 2013 18:18:05 +0100 Ben Laurie b...@links.org wrote: On 6 September 2013 18:13, Perry E. Metzger pe...@piermont.com wrote: Google is also now (I believe) using PFS on their connections, and they

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread James A. Donald
On 2013-09-06 12:31 PM, Jerry Leichter wrote: Another interesting goal: Shape worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS. Elsewhere, enabling access and exploiting systems of interest and inserting

[Cryptography] 1024 bit DH still common in Tor network

2013-09-06 Thread Perry E. Metzger
Summary: blog posting claims most of the Tor network is still running older software that uses 1024 bit Diffie-Hellman. http://blog.erratasec.com/2013/09/tor-is-still-dhe-1024-nsa-crackable.html I'm not sure how cheap it actually would be to routinely crack DH key exchanges, but it does seem

Re: [Cryptography] Suite B after today's news

2013-09-06 Thread Jack Lloyd
I think that any of OCB, CCM, or EAX are preferable from a security standpoint, but none of them parallelize as well. If you want to do a lot of encrypted and authenticated high-speed link encryption, well, there is likely no other answer. It's GCM or nothing. OCB parallelizes very well in

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-06 Thread Peter Fairbrother
On 06/09/13 15:36, Perry E. Metzger wrote: One solution, preventing passive attacks, is for major browsers and websites to switch to using PFS ciphersuites (i.e. those based on ephemeral Diffie-Hellmann key exchange). It occurred to me yesterday that this seems like something all major service

[Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-06 Thread Jaap-Henk Hoepman
In this oped in the Guardian http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance Bruce Schneier writes: Prefer symmetric cryptography over public-key cryptography. The only reason I can think of is that for public key crypto you typically use an American (and

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-06 Thread Eugen Leitl
On Fri, Sep 06, 2013 at 04:25:12PM -0400, Jerry Leichter wrote: A response he wrote as part of a discussion at http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread ianG
On 6/09/13 11:32 AM, ianG wrote: And, controlling processes is just what the NSA does. https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html Oops, for those unfamiliar with CAcert's peculiar use of secure browsing, drop the 's' in the above URL. Then it will securely load.

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Perry E. Metzger
On Fri, 6 Sep 2013 09:03:27 +0200 Kristian Gjøsteen kristian.gjost...@math.ntnu.no wrote: As a co-author of an analysis of Dual-EC-DRBG that did not emphasize this problem (we only stated that Q had to be chosen at random, Ferguson co were right to emphasize this point), I would like to ask:

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread Perry E. Metzger
On Fri, 6 Sep 2013 18:56:51 +0100 Ben Laurie b...@links.org wrote: The problem is that there's nothing good [in the way of ciphers] left for TLS 1.2. So, lets say in public that the browser vendors have no excuse left for not going to 1.2. I hate to be a conspiracy nutter, but it is that kind

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread Perry E. Metzger
On Fri, 06 Sep 2013 18:52:46 +0200 Raphaël Jacquot sxp...@sxpert.org wrote: While I applaud this move on the part of the Nginx dev team there is a tradeoff and that is slower performance. DHE provides stronger encryption which in turn requires more computation but here’s where it gets

[Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-06 Thread Jerry Leichter
A response he wrote as part of a discussion at http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? A: (Schneier) Yes, I believe so.

[Cryptography] Bruce Schneier calls for independent prosecutor to investigate NSA

2013-09-06 Thread Perry E. Metzger
Quoting: All of this denying and lying results in us not trusting anything the NSA says, anything the president says about the NSA, or anything companies say about their involvement with the NSA. We know secrecy corrupts, and we see that corruption. There's simply no

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Peter Gutmann
ianG i...@iang.org writes: And, controlling processes is just what the NSA does. https://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html How does '(a) Organizations and Conferences' differ from SOP for these sorts of things? Peter. ___

Re: [Cryptography] Suite B after today's news

2013-09-06 Thread Peter Gutmann
Ralph Holz ralph-cryptometz...@ralphholz.de writes: But for right now, what options do we have that are actually implemented somewhere? Take SSL. CBC mode has come under pressure for SSL (CRIME, BEAST, etc.), and I don't see any move towards TLS 1.0.

[Cryptography] Washington Post: Google racing to encrypt links between data centers

2013-09-06 Thread Perry E. Metzger
Quoting: Google is racing to encrypt the torrents of information that flow among its data centers around the world, in a bid to thwart snooping by the NSA as well as the intelligence agencies of foreign governments, company officials said on Friday. The move by Google is among the

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread Ben Laurie
On 6 September 2013 18:13, Perry E. Metzger pe...@piermont.com wrote: Google is also now (I believe) using PFS on their connections, and they handle more traffic than anyone. A connection I just made to https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1, ECDHE_RSA. It would be good

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-06 Thread ianG
On 6/09/13 20:15 PM, Daniel Veditz wrote: On 9/6/2013 9:52 AM, Raphaël Jacquot wrote: To meet today’s PCI DSS crypto standards DHE is not required. PCI is about credit card fraud. So was SSL ;-) Sorry, couldn't resist... Mastercard/Visa aren't worried that criminals are storing all

Re: [Cryptography] tamper-evident crypto?

2013-09-06 Thread John Denker
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/05/2013 06:48 PM, Richard Clayton wrote: so you'd probably fail to observe any background activity that tested whether this information was plausible or not and then some chance event would occur that caused someone from Law Enforcement

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-06 Thread Ben Laurie
On 6 September 2013 17:20, Peter Saint-Andre stpe...@stpeter.im wrote: Is there a handy list of PFS-friendly ciphersuites that I can communicate to XMPP developers and admins so they can start upgrading their software and deployments? Anything with EDH, DHE or ECDHE in the name...

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Jerry Leichter
Following up on my own posting: [The NSA] want to buy COTS because it's much cheap, and COTS is based on standards. So they have two contradictory constraints: They want the stuff they buy secure, but they want to be able to break in to exactly the same stuff when anyone else buys it.

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread ianG
On 6/09/13 08:04 AM, John Kelsey wrote: It is possible Dual EC DRBG had its P and Q values generated to insert a trapdoor, though I don't think anyone really knows that (except the people who generated it, but they probably can't prove anything to us at this point). It's also immensely

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-06 Thread Anne Lynn Wheeler
we were brought in as consultants to a small client/server startup that wanted to do payment transactions on their server, they had this technology they called SSL they wanted to use, the result is now frequently called electronic commerce. The two people at the startup responsible for the

[Cryptography] Matthew Green on BULLRUN

2013-09-06 Thread Perry E. Metzger
Some interesting nuggets here, including the fact that he explicitly calls out the existence of NSA's new HUMINT division that infiltrates corporations for a living. http://blog.cryptographyengineering.com/2013/09/on-nsa.html -- Perry E. Metzgerpe...@piermont.com

Re: [Cryptography] NSA and cryptanalysis

2013-09-06 Thread ianG
On 6/09/13 04:44 AM, Peter Gutmann wrote: John Kelsey crypto@gmail.com writes: If I had to bet, I'd bet on bad rngs as the most likely source of a breakthrough in decrypting lots of encrypted traffic from different sources. If I had to bet, I'd bet on anything but the crypto. Why attack

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-06 Thread Harald Koch
On 6 September 2013 16:25, Jerry Leichter leich...@lrw.com wrote: Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? http://c2.com/cgi/wiki?TheKenThompsonHack (and many other references)

Re: [Cryptography] Washington Post: Google racing to encrypt links between data centers

2013-09-06 Thread Marcus D. Leech
On 09/06/2013 07:38 PM, Perry E. Metzger wrote: Quoting: Google is racing to encrypt the torrents of information that flow among its data centers around the world, in a bid to thwart snooping by the NSA as well as the intelligence agencies of foreign governments, company

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-06 Thread Lodewijk andré de la porte
That they have the capacity doesn't mean they ever actually did it, Schneier's comment is conservative. It is obviously within in their (legal) capacity to change anything going accross US and INTNET cables and to forge a some families of signatures. 2013/9/6 Eugen Leitl eu...@leitl.org On

Re: [Cryptography] Washington Post: Google racing to encrypt links between data centers

2013-09-06 Thread Lodewijk andré de la porte
Right. Maybe some AES32? 2013/9/7 Perry E. Metzger pe...@piermont.com Quoting: Google is racing to encrypt the torrents of information that flow among its data centers around the world, in a bid to thwart snooping by the NSA as well as the intelligence agencies of foreign

Re: [Cryptography] Suite B after today's news

2013-09-06 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 6, 2013, at 11:41 AM, Jack Lloyd ll...@randombit.net wrote: I think that any of OCB, CCM, or EAX are preferable from a security standpoint, but none of them parallelize as well. If you want to do a lot of encrypted and authenticated

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread James Cloos
PEM == Perry E Metzger pe...@piermont.com writes: PEM Anyone at a browser vendor resisting the move to 1.2 should be PEM viewed with deep suspicion. Is anyone? NSS has 1.2 now; it is, AIUI, in progress for ff and sm. Chromium supports it (as of version 29, it seems). Opera supports 1.2 (at

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread The Doctor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/06/2013 01:13 PM, Perry E. Metzger wrote: Google is also now (I believe) using PFS on their connections, and they handle more traffic than anyone. A connection I just made to https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1,

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread The Doctor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/06/2013 01:13 PM, Perry E. Metzger wrote: Google is also now (I believe) using PFS on their connections, and they handle more traffic than anyone. A connection I just made to https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1,

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 6, 2013, at 4:42 AM, Jerry Leichter leich...@lrw.com wrote: Argh! And this is why I dislike using symmetric and asymmetric to describe cryptosystems: In English, the distinction is way too brittle. Just a one-letter difference - and

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 6, 2013, at 6:23 AM, Jerry Leichter leich...@lrw.com wrote: Is such an attack against AES *plausible*? I'd have to say no. But if you were on the stand as an expert witness and were asked under cross-examination Is this *possible*?, I

[Cryptography] ADMIN: Reminder, yet again...

2013-09-06 Thread Perry E. Metzger
Sadly it seems I need to repeat this: We've got a very large number of participants on this list, and volume has gone way up at the moment thanks to current events. To make the experience pleasant for everyone please: 1) Cut down the original you're quoting to only the relevant portions to

[Cryptography] NYTimes: Legislation Seeks to Bar N.S.A. Tactic in Encryption

2013-09-06 Thread Perry E. Metzger
Quoting: After disclosures about the National Security Agency’s stealth campaign to counter Internet privacy protections, a congressman has proposed legislation that would prohibit the agency from installing “back doors” into encryption, the electronic scrambling that protects

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Derrell Piper
...and to add to all that, how about the fact that IPsec was dropped as a 'must implement' from IPv6 sometime after 2002? signature.asc Description: Message signed with OpenPGP using GPGMail ___ The cryptography mailing list cryptography@metzdowd.com

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Kevin W. Wall
On 9/6/2013 1:05 PM, Perry E. Metzger wrote: I have re-read the NY Times article. It appears to only indicate that this was *a* standard that was sabotaged, not that it was the only one. In particular, the Times merely indicates that they can now confirm that this particular standard was

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-06 Thread Chris Palmer
Q: Could the NSA be intercepting downloads of open-source encryption software and silently replacing these with their own versions? Why would they perform the attack only for encryption software? They could compromise people's laptops by spiking any popular app.

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread Chris Palmer
On Fri, Sep 6, 2013 at 5:34 PM, The Doctor dr...@virtadpt.net wrote: Symmetric cipher RC4 (weak 10/49) Symmetric key length 128 bits (weak 8/19) Cert issued by Google, Inc, US SHA-1 with RSA @ 2048 bit (MODERATE 2/6) First time I've heard of 128-bit symmetric called weak... Sure, RC4 isn't

Re: [Cryptography] In the face of cooperative end-points, PFS doesn't help

2013-09-06 Thread Marcus D. Leech
It seems to me that while PFS is an excellent back-stop against NSA having/deriving a website RSA key, it does *nothing* to prevent the kind of cooperative endpoint scenario that I've seen discussed in other forums, prompted by the latest revelations about what NSA has been up to. But if

Re: [Cryptography] NSA hates sunshine

2013-09-06 Thread John Gilmore
As of Jan-2014 CAs are forbidden from issuing/signing anything less than 2048 certs. For some value of forbidden. :-) Yeah, just like employees at big companies are forbidden to reveal how they are collaborating with NSA. Years ago I heard what happened when George Davida filed a

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-06 Thread Jon Callas
On Sep 6, 2013, at 6:13 AM, Jaap-Henk Hoepman j...@cs.ru.nl wrote: In this oped in the Guardian http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance Bruce Schneier writes: Prefer symmetric cryptography over public-key cryptography. The only reason I can

Re: [Cryptography] Using Raspberry Pis

2013-09-06 Thread Ben Laurie
On 26 August 2013 22:43, Perry E. Metzger pe...@piermont.com wrote: (I would prefer to see hybrid capability systems in such applications, like Capsicum, though I don't think any such have been ported to Linux and that's a popular platform for such work.) FWIW, we're working on a Linux port

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Derrell Piper
On Sep 6, 2013, at 8:22 PM, John Gilmore g...@toad.com wrote: Speaking as someone who followed the IPSEC IETF standards committee pretty closely, while leading a group that tried to implement it and make so usable that it would be used by default throughout the Internet, I noticed some

Re: [Cryptography] Bruce Schneier has gotten seriously spooked

2013-09-06 Thread The Doctor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/06/2013 08:48 PM, Chris Palmer wrote: Why would they perform the attack only for encryption software? They could compromise people's laptops by spiking any popular app. What is more important to them: A single system, or all of the comms

Re: [Cryptography] People should turn on PFS in TLS

2013-09-06 Thread The Doctor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/06/2013 09:02 PM, Chris Palmer wrote: First time I've heard of 128-bit symmetric called weak... Sure, RC4 isn't awesome but they seem to be saying that 128-bit keys per se are weak. calomel.org may be erring on the side of weak due to known

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Jerry Leichter
On Sep 6, 2013, at 8:58 PM, Jon Callas wrote: I've long suspected that NSA might want this kind of property for some of its own systems: In some cases, it completely controls key generation and distribution, so can make sure the system as fielded only uses good keys. If the algorithm

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-06 Thread Marcus D. Leech
The magic of public key crypto is that it gets rid of the key management problem -- if I'm going to communicate with you with symmetric crypto, how do I get the keys to you? The pain of it is that it replaces it with a new set of problems. Those problems include that the amazing power of

[Cryptography] I have to whistle to blow...

2013-09-06 Thread Dan McDonald
... but I must scream. http://kebesays.blogspot.com/2013/09/i-have-no-whistle-to-blow-but-i-must.html FYI, and thanks, Dan McD. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Using Raspberry Pis

2013-09-06 Thread Marcus D. Leech
On 09/07/2013 12:04 AM, Ben Laurie wrote: On 26 August 2013 22:43, Perry E. Metzger pe...@piermont.com mailto:pe...@piermont.com wrote: (I would prefer to see hybrid capability systems in such applications, like Capsicum, though I don't think any such have been ported to Linux