[Cryptography] ADMIN: Re: Iran and murder

2013-10-11 Thread Tamzen Cannoy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think this thread has run its course and is sufficiently off topic for this list, so I am declaring it closed. Thank you Tamzen -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-11 Thread John Kelsey
On Oct 11, 2013, at 1:48 AM, ianG i...@iang.org wrote: ... What's your goal? I would say you could do this if the goal was ultimate security. But for most purposes this is overkill (and I'd include online banking, etc, in that). We were talking about how hard it is to solve crypto

Re: [Cryptography] prism-proof email in the degenerate case

2013-10-11 Thread d.nix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/10/2013 6:40 PM, grarpamp wrote: On Thu, Oct 10, 2013 at 11:58 AM, R. Hirschfeld r...@unipay.nl wrote: To send a prism-proof email, encrypt it for your recipient and send it to irrefrangi...@mail.unipay.nl. Don't include any information

Re: [Cryptography] prism-proof email in the degenerate case

2013-10-11 Thread Eugen Leitl
On Thu, Oct 10, 2013 at 03:54:26PM -0400, John Kelsey wrote: Having a public bulletin board of posted emails, plus a protocol for anonymously finding the ones your key can decrypt, seems like a pretty decent architecture for prism-proof email. The tricky bit of crypto is in making access to

Re: [Cryptography] PGP Key Signing parties

2013-10-11 Thread Eugen Leitl
On Thu, Oct 10, 2013 at 04:24:19PM -0700, Glenn Willen wrote: I am going to be interested to hear what the rest of the list says about this, because this definitely contradicts what has been presented to me as 'standard practice' for PGP use -- verifying identity using government issued ID,

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-11 Thread ianG
On 10/10/13 19:06 PM, John Kelsey wrote: Just thinking out loud The administrative complexity of a cryptosystem is overwhelmingly in key management and identity management and all the rest of that stuff. So imagine that we have a widely-used inner-level protocol that can use strong

Re: [Cryptography] PGP Key Signing parties

2013-10-11 Thread Phillip Hallam-Baker
Reply to various, Yes, the value in a given key signing is weak, in fact every link in the web of trust is terribly weak. However, if you notarize and publish the links in CT fashion then I can show that they actually become very strong. I might not have good evidence of John Gilmore's key at

[Cryptography] Key stretching

2013-10-11 Thread Phillip Hallam-Baker
All, Quick question, anyone got a good scheme for key stretching? I have this scheme for managing private keys that involves storing them as encrypted PKCS#8 blobs in the cloud. AES128 seems a little on the weak side for this but there are (rare) circumstances where a user is going to need to

Re: [Cryptography] PGP Key Signing parties

2013-10-11 Thread Richard Outerbridge
On 2013-10-10 (283), at 19:24:19, Glenn Willen gwil...@nerdnet.org wrote: John, On Oct 10, 2013, at 2:31 PM, John Gilmore wrote: An important user experience point is that we should be teaching GPG users to only sign the keys of people who they personally know. [] would be false

Re: [Cryptography] PGP Key Signing parties

2013-10-11 Thread ianG
On 11/10/13 02:24 AM, Glenn Willen wrote: John, On Oct 10, 2013, at 2:31 PM, John Gilmore wrote: ... Signing them would assert to any stranger that I know that this key belongs to this identity, which would be false and would undermine the strength of the web of trust. Where is this writ?

Re: [Cryptography] prism-proof email in the degenerate case

2013-10-11 Thread Erik de Castro Lopo
grarpamp wrote: On Thu, Oct 10, 2013 at 11:58 AM, R. Hirschfeld r...@unipay.nl wrote: To send a prism-proof email, encrypt it for your recipient and send it to irrefrangi...@mail.unipay.nl. Don't include any information about To receive prism-proof email, subscribe to the irrefrangible

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-11 Thread ianG
On 10/10/13 08:41 AM, Bill Frantz wrote: We should try to characterize what a very long time is in years. :-) Look at the produce life cycle for known crypto products. We have some experience of this now. Skype, SSL v2/3 - TLS 0/1/2, SSH 1 - 2, PGP 2 - 5+. As a starting point, I would

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-11 Thread ianG
On 10/10/13 17:58 PM, Salz, Rich wrote: TLS was designed to support multiple ciphersuites. Unfortunately this opened the door to downgrade attacks, and transitioning to protocol versions that wouldn't do this was nontrivial. The ciphersuites included all shared certain misfeatures, leading to

Re: [Cryptography] prism-proof email in the degenerate case

2013-10-11 Thread Nico Williams
On Thu, Oct 10, 2013 at 04:22:50PM -0400, Jerry Leichter wrote: On Oct 10, 2013, at 11:58 AM, R. Hirschfeld r...@unipay.nl wrote: Very silly but trivial to implement so I went ahead and did so: To send a prism-proof email, encrypt it for your recipient and send it to

Re: [Cryptography] prism-proof email in the degenerate case

2013-10-11 Thread Smári McCarthy
On 10/10/2013 08:54 PM, John Kelsey wrote: Having a public bulletin board of posted emails, plus a protocol for anonymously finding the ones your key can decrypt, seems like a pretty decent architecture for prism-proof email. The tricky bit of crypto is in making access to the bulletin

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-11 Thread Zooko O'Whielacronx
I like the ideas, John. The idea, and the protocol you sketched out, are a little reminiscent of ZRTP ¹ and of tcpcrypt ². I think you can go one step further, however, and make it *really* strong, which is to offer the higher or outer layer a way to hook into the crypto from your inner layer.

Re: [Cryptography] PGP Key Signing parties

2013-10-11 Thread Tony Naggs
On 10 October 2013 22:31, John Gilmore g...@toad.com wrote: Does PGP have any particular support for key signing parties built in or is this just something that has grown up as a practice of use? It's just a practice. I agree that building a small amount of automation for key signing parties

[Cryptography] Broken RNG renders gov't-issued smartcards easily hackable.

2013-10-11 Thread Ray Dillinger
Saw this on Arstechnica today and thought I'd pass along the link. http://arstechnica.com/security/2013/09/fatal-crypto-flaw-in-some-government-certified-smartcards-makes-forgery-a-snap/2/ More detailed version of the story available at: https://factorable.net/paper.html Short version:

Re: [Cryptography] Key stretching

2013-10-11 Thread John Kelsey
This is a job for a key derivation function or a cryptographic prng. I would use CTR-DRBG from 800-90 with AES256. Or the extract-then-expand KDF based on HMAC-SHA512. --John ___ The cryptography mailing list cryptography@metzdowd.com

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-11 Thread Bill Frantz
On 10/11/13 at 10:32 AM, zoo...@gmail.com (Zooko O'Whielacronx) wrote: Don't try to study foolscap, even though it is a very interesting practical approach, because there doesn't exist documentation of the protocol at the right level for you to learn from. Look at the E language sturdy refs,

Re: [Cryptography] PGP Key Signing parties

2013-10-11 Thread Joe Abley
On 2013-10-11, at 07:03, Tony Naggs tonyna...@gmail.com wrote: On 10 October 2013 22:31, John Gilmore g...@toad.com wrote: Does PGP have any particular support for key signing parties built in or is this just something that has grown up as a practice of use? It's just a practice. I agree

Re: [Cryptography] Key stretching

2013-10-11 Thread Jerry Leichter
On Oct 11, 2013, at 11:26 AM, Phillip Hallam-Baker hal...@gmail.com wrote: Quick question, anyone got a good scheme for key stretching? I have this scheme for managing private keys that involves storing them as encrypted PKCS#8 blobs in the cloud. AES128 seems a little on the weak side

Re: [Cryptography] Broken RNG renders gov't-issued smartcards easily hackable.

2013-10-11 Thread Wouter Slegers
Dear Ray, On 2013-10-11, at 19:38 , Ray Dillinger b...@sonic.net wrote: This is despite meeting (for some inscrutable definition of meeting) FIPS 140-2 Level 2 and Common Criteria standards. These standards require steps that were clearly not done here. Yet, validation certificates were

Re: [Cryptography] PGP Key Signing parties

2013-10-11 Thread Jeremy Stanley
On 2013-10-11 12:03:44 +0100 (+0100), Tony Naggs wrote: Do key signing parties even happen much anymore? The last time I saw one advertised was around PGP 2.6! [...] Within more active pockets of the global free software community (where OpenPGP signatures are used to authenticate release

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-11 Thread Trevor Perrin
On Fri, Oct 11, 2013 at 10:32 AM, Zooko O'Whielacronx zoo...@gmail.com wrote: I like the ideas, John. The idea, and the protocol you sketched out, are a little reminiscent of ZRTP ¹ and of tcpcrypt ². I think you can go one step further, however, and make it *really* strong, which is to offer

Re: [Cryptography] prism-proof email in the degenerate case

2013-10-11 Thread Joe St Sauver
Hi, sm...@immi.is commented: #An alternative I've been considering is having e-mail clients support #bouncing messages if they are received for an incorrect envelope #address. So you can have an envelope address and a PGP encrypted blob, #and when you decrypt that blob there's a new RFC822

Re: [Cryptography] Key stretching

2013-10-11 Thread Peter Gutmann
Phillip Hallam-Baker hal...@gmail.com writes: Quick question, anyone got a good scheme for key stretching? http://lmgtfy.com/?q=hkdfl=1 Peter :-). ___ The cryptography mailing list cryptography@metzdowd.com