On Sun, 8 Sep 2013, Daniel Cegiełka wrote:
Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
http://www.youtube.com/watch?v=K8EGA834Nok
Is DNSSEC is really the right solution?
That is the most unprofessional talk I've seen djb give. He bluffed a
bunch of fanboys with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
>> I am certainly not going to advocate Internet-scale KDC. But what
>> if the application does not need to scale more than a "network of
>> friends?"
>
> A thousand times yes.
There is however a little fly in that particular ointment. Sure, we can d
On 9/8/2013 4:27 AM, Eugen Leitl wrote:
- Forwarded message from "James A. Donald" -
Date: Sun, 08 Sep 2013 08:34:53 +1000
From: "James A. Donald"
To: cryptogra...@randombit.net
Subject: Re: [cryptography] Random number generation influenced, HW RNG
User-Agent: Mozilla/5.0 (Windows NT
Phillip Hallam-Baker writes:
>People buy guns despite statistics that show that they are orders of
>magnitude more likely to be shot with the gun themselves rather than by an
>attacker.
Some years ago NZ abolished its offensive (fighter) air force (the choice was
either to buy all-new, meaning
On 9/09/13 06:42 AM, James A. Donald wrote:
On 2013-09-09 11:15 AM, Perry E. Metzger wrote:
Lenstra, Heninger and others have both shown mass breaks of keys based
on random number generator flaws in the field. Random number
generators have been the source of a huge number of breaks over time.
P
Hi Jeffery,
On 8/09/13 02:52 AM, Jeffrey I. Schiller wrote:
The IETF was (and probably still is) a bunch of hard working
individuals who strive to create useful technology for the
Internet.
Granted! I do not want to say that the IETF people are in a conspiracy
with someone or each other, o
On 9/09/13 02:16 AM, james hughes wrote:
I am honestly curious about the motivation not to choose more secure modes that
are already in the suites?
Something I wrote a bunch of years ago seems apropos, perhaps minimally
as a thought experiment:
Hypothesis #1 -- The One True Cipher Suite
Just got word from an Openswan developer:
"
To my knowledge, we never finished implementing the BTNS mode.
It wouldn't be hard to do --- it's mostly just conditionally commenting out
code.
"
There's obviously a large potential deployment base for
BTNS for home users, just think of Openswan/Open
On 8/09/13 21:24 PM, Perry E. Metzger wrote:
On Sat, 07 Sep 2013 18:50:06 -0700 John Gilmore wrote:
It was never clear to me why DNSSEC took so long to deploy,
[...]
PS:...
I believe you have answered your own question there, John. Even if we
assume subversion, deployment requires cooperati
http://www.ietf.org/blog/2013/09/security-and-pervasive-monitoring/
Security and Pervasive Monitoring
The Internet community and the IETF care deeply about how much we can trust
commonly used Internet services and the protocols that these services use.
So the reports about large-scale monitoring
On Sep 8, 2013, at 1:53 PM, Phillip Hallam-Baker wrote:
> I was asked to provide a list of potential points of compromise by a
> concerned party. I list the following so far as possible/likely:
It's not clear to me what kinds of compromises you're considering. You've
produced a list of a number
9. sep. 2013 kl. 10:45 skrev Eugen Leitl :
> Forwarded without permission, hence anonymized:
> "
> Hey, I had a look at SEC2 and the TLS/SSH RFCs. SSH uses secp256/384r1
> which has the same parameters as what's in SEC2 which are the same the
> parameters as specified in SP800-90 for Dual EC DRBG!
On 9/09/13 03:48 AM, James A. Donald wrote:
On 2013-09-09 6:08 AM, John Kelsey wrote:
a. Things that just barely work, like standards groups, must in general be
easier to sabotage in subtle ways than things that click along with great
efficiency. But they are also things that often fail with
On Sep 8, 2013, at 11:41 PM, james hughes wrote:
>>> In summary, it would appear that the most viable solution is to make
>> I don't see how it's possible to make any real progress within the existing
>> cloud model, so I'm with you 100% here. (I've said the same earlier.)
> Could cloud computing
On Mon, 9 Sep 2013, Daniel wrote:
> Is there anyone on the lists qualified in ECC mathematics that can
> confirm that?
NIST SP 800-90A, Rev 1 says:
The Dual_EC_DRBG requires the specifications of an elliptic curve and
two points on the elliptic curve. One of the following NIST approved
curv
On Sep 8, 2013, at 8:37 PM, James A. Donald wrote:
>> Your magic key must then take any block of N bits and magically
>> produce the corresponding plaintext when any given ciphertext
>> might correspond to many, many different plaintexts depending
>> on the key
> Suppose that the mappings from
On Sun, 8 Sep 2013, Perry E. Metzger wrote:
> What's the current state of the art of attacks against AES? Is the
> advice that AES-128 is (slightly) more secure than AES-256, at least
> in theory, still current?
I am not sure what is the exact attack you are talking about, but I
guess you misunde
On Sep 8, 2013, at 6:49 PM, Phillip Hallam-Baker wrote:
> ...The moral is that we have to find other market reasons to use security.
> For example simplifying administration of endpoints. I do not argue like some
> do that there is no market for security so we should give up, I argue that
> ther
Hi Perry,
I just came across your message [0] on retrieving the correct key for a
name. I believe that's called Squaring Zooko's Triangle.
I've come up with my ideas and protocol to address this need.
I call it eccentric-authentication. [1,2]
With Regards, Guido.
0: http://www.metzdowd.com/pi
On Sun, 8 Sep 2013, Peter Fairbrother wrote:
> On the one hand, if they continued to recommend that government people use
> 1024-bit RSA they could be accused of failing their mission to protect
> government communications.
>
> On the other hand, if they told ordinary people not to use 1024-bit RS
Forwarded without permission, hence anonymized:
"
Hey, I had a look at SEC2 and the TLS/SSH RFCs. SSH uses secp256/384r1
which has the same parameters as what's in SEC2 which are the same the
parameters as specified in SP800-90 for Dual EC DRBG!
TLS specifies you can use those two curves as well.
The article of "der Spiegel" in english can be found on:
http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-sma
rt-phone-data-a-920971.html
and an update ( in English ) will be added today.
-Oorspronkelijk bericht-
Van: cryptography-bounces+nap.van.zuuren=pand
http://www.scottaaronson.com/blog/?p=1517
NSA: Possibly breaking US laws, but still bound by laws of computational
complexity
Last week, I got an email from a journalist with the following inquiry. The
recent Snowden revelations, which made public for the first time the US
government’s “black b
On 09/08/2013 11:56 PM, Jerry Leichter wrote:
Which brings into the light the question: Just *why* have so many random
number generators proved to be so weak.
Your three cases left off an important one: Not bothering to seed the
PRNG at all. I think the Java/Android cryptographic (!) librar
On Mon, Sep 9, 2013 at 3:58 AM, ianG wrote:
> On 9/09/13 02:16 AM, james hughes wrote:
>
> I am honestly curious about the motivation not to choose more secure
>> modes that are already in the suites?
>>
>
> Something I wrote a bunch of years ago seems apropos, perhaps minimally as
> a thought e
Perry asked me to summarise the status of TLS a while back ... luckily I
don't have to because someone else has:
http://tools.ietf.org/html/draft-sheffer-tls-bcp-00
In short, I agree with that draft. And the brief summary is: there's only
one ciphersuite left that's good, and unfortunately its on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Just to throw in my two cents...
In the early 1990’s I wanted to roll out an encrypted e-mail solution
for the MIT Community (I was the Network Manager and responsible for
the mail system). We already had our Kerberos Authentication system
(of which I
On Sun, Sep 8, 2013 at 3:33 PM, Perry E. Metzger wrote:
> What's the current state of the art of attacks against AES? Is the
> advice that AES-128 is (slightly) more secure than AES-256, at least
> in theory, still current?
No. I assume that advice comes from related key attacks on AES, and Bru
On Mon, 9 Sep 2013 14:18:41 +0300 Alexander Klimov
wrote:
> On Sun, 8 Sep 2013, Perry E. Metzger wrote:
> > What's the current state of the art of attacks against AES? Is the
> > advice that AES-128 is (slightly) more secure than AES-256, at
> > least in theory, still current?
>
> I am not sure w
List traffic levels are very high right now.
Although the current situation is worrisome to many of us, the list
becomes less useful to all when it becomes so clogged with posts that
it becomes impossible for any reasonable person to read it.
I and the co-moderators are probably going to start be
First, David, thank you for participating in this discussion.
To orient people, we're talking about whether Intel's on-chip
hardware RNGs should allow programmers access to the raw HRNG output,
both for validation purposes to make sure the whole system is working
correctly, and if they would prefe
On Mon, 9 Sep 2013 17:29:24 +0100
Ben Laurie wrote:
> Perry asked me to summarise the status of TLS a while back ...
> luckily I don't have to because someone else has:
>
> http://tools.ietf.org/html/draft-sheffer-tls-bcp-00
>
> In short, I agree with that draft. And the brief summary is: there
On Sep 9, 2013, at 9:29 AM, Ben Laurie wrote:
> Perry asked me to summarise the status of TLS a while back ... luckily I
> don't have to because someone else has:
>
> http://tools.ietf.org/html/draft-sheffer-tls-bcp-00
>
> In short, I agree with that draft. And the brief summary is: there's o
Some of you may have noticed that if you send from an envelope address
that isn't subscribed, your mail gets blocked even if your From:
address is correct in the email itself.
You can fix this by subscribing your other address and changing your
settings in Mailman so that the secondary address rec
On 09/05/2013 05:11 PM, Perry E. Metzger wrote:
> A hardware generator can have
> horrible flaws that are hard to detect without a lot of data from many
> devices.
Can you be more specific? What flaws?
On 09/08/2013 08:42 PM, James A. Donald wrote:
> It is hard, perhaps impossible, to have t
➢ then maybe it's not such a "silly accusation" to think that root CAs are
routinely distributed to multinational secret
➢ services to perform MITM session decryption on any form of communication
that derives its security from the CA PKI.
How would this work, in practice? How would knowing a
>> would you care to explain the very strange design decision
>> to whiten the numbers on chip, and not provide direct
>> access to the raw unwhitened output.
On 2013-09-09 2:40 PM, David Johnston wrote:
> #1 So that that state remains secret from things trying to
> discern that state for purpose
On Tue, 10 Sep 2013 00:23:51 +0200 Adam Back
wrote:
> On Mon, Sep 09, 2013 at 06:03:14PM -0400, Perry E. Metzger wrote:
> >On Mon, 9 Sep 2013 14:07:58 +0300 Alexander Klimov wrote:
> >> No. They are widely used curves and thus a good way to reduce
> >> conspiracy theories that they were chosen in
On 09/09/13 13:08, Guido Witmond wrote:
Hi Perry,
I just came across your message [0] on retrieving the correct key for a
name. I believe that's called Squaring Zooko's Triangle.
I've come up with my ideas and protocol to address this need.
I call it eccentric-authentication. [1,2]
With Regard
>
> From: Eugen Leitl
>Forwarded with permission.
[snip]
> http://hack.org/mc/projects/btns/
>So there *is* a BTNS implementation, after all. Albeit
>only for OpenBSD -- but this means FreeBSD is next, and
>Linux to follow.
I might add that as far as I know, thi
> * NSA employees participted throughout, and occupied leadership roles
> in the committee and among the editors of the documents
> Slam dunk. If the NSA had wanted it, they would have designed it themselves.
> The only
> conclusion for their presence that is rational is to sabotage it
On 09/09/13 12:53, Alexander Klimov wrote:
On Sun, 8 Sep 2013, Peter Fairbrother wrote:
You can use any one of trillions of different elliptic curves,which should be
chosen partly at random and partly so they are the right size and so on; but
you can also start with some randomly-chosen numbers
On Mon, Sep 9, 2013 at 10:37 AM, Nemo wrote:
> The approach appears to be an attempt at a "nothing up my sleeve"
> construction. Appendix A says how to start with a seed value and use SHA-1
> as a psuedo-random generator to produce candidate curves until a suitable
> one is found.
>
The question
> -Original Message-
> From: cryptography-bounces+owen.shepherd=e43...@metzdowd.com
> [mailto:cryptography-bounces+owen.shepherd=e43...@metzdowd.com]
> On Behalf Of David Johnston
> Sent: 09 September 2013 05:41
> To: cryptography@metzdowd.com
> Subject: Re: [Cryptography] [cryptography] Ra
I have been reading FIPS 186-3 (
http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf) and 186-4 (
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf), particularly
Appendix A describing the procedure for generating elliptic curves and
Appendix D specifying NIST's recommended curv
On Mon, 9 Sep 2013 14:07:58 +0300 Alexander Klimov
wrote:
> On Mon, 9 Sep 2013, Daniel wrote:
> > Is there anyone on the lists qualified in ECC mathematics that can
> > confirm that?
>
> NIST SP 800-90A, Rev 1 says:
>
> The Dual_EC_DRBG requires the specifications of an elliptic curve
> and tw
Reading about several attacks based on partial message replay, I was
wondering if the following idea had any worth, or maybe was already
widely used (sorry, I'm way behind in the literature):
"the actual symmetric key to be used to encrypt the payload is the
hash of the shared secret, the time, an
On 09/09/13 23:03, Perry E. Metzger wrote:
On Mon, 9 Sep 2013, Daniel wrote:
[...] They are widely used curves and thus a good way to reduce
conspiracy theories that they were chosen in some malicious way to
subvert DRBG.
Er, don't we currently have documents from the New York Times and the
G
On Tue, 10 Sep 2013 00:25:20 +0100 Peter Fairbrother
wrote:
> On 09/09/13 23:03, Perry E. Metzger wrote:
>
> >> On Mon, 9 Sep 2013, Daniel wrote:
> >> [...] They are widely used curves and thus a good way to reduce
> >> conspiracy theories that they were chosen in some malicious way
> >> to subve
Hi Ben,
On 09/09/2013 05:29 PM, Ben Laurie wrote:
> Perry asked me to summarise the status of TLS a while back ... luckily I
> don't have to because someone else has:
>
> http://tools.ietf.org/html/draft-sheffer-tls-bcp-00
>
> In short, I agree with that draft. And the brief summary is: there's
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
On 2013-09-09 at 23:14 +0200, Hanno Böck wrote:
> Also, DHE should only be considered secure with a large enough modulus
> (>=2048 bit). Apache hard-fixes this to 1024 bit and it's not
> configurable. So there even can be made an argument that ECD
Phillip Hallam-Baker wrote:
> 5) Protocol vulnerability that IETF might have fixed but was discouraged
> from fixing.
By the way, it was a very interesting exercise to actually write out
on graph paper the bytes that would be sent in a TLS exchange. I did
this with Paul Wouters while working on
On Sep 9, 2013, at 6:32 PM, "Perry E. Metzger" wrote:
> First, David, thank you for participating in this discussion.
>
> To orient people, we're talking about whether Intel's on-chip
> hardware RNGs should allow programmers access to the raw HRNG output,
> both for validation purposes to make s
On Sep 9, 2013, at 2:49 PM, Stephen Farrell wrote:
> On 09/09/2013 05:29 PM, Ben Laurie wrote:
>> Perry asked me to summarise the status of TLS a while back ... luckily I
>> don't have to because someone else has:
>>
>> http://tools.ietf.org/html/draft-sheffer-tls-bcp-00
>>
>> In short, I agre
On Mon, 9 Sep 2013 23:29:52 -0400 John Kelsey
wrote:
> On Sep 9, 2013, at 6:32 PM, "Perry E. Metzger"
> wrote:
>
> > First, David, thank you for participating in this discussion.
> >
> > To orient people, we're talking about whether Intel's on-chip
> > hardware RNGs should allow programmers acc
55 matches
Mail list logo