(Short) Intro and question

2007-01-07 Thread Allen
Hi everyone, I'm Allen Schaaf and I'm primarily an information security analyst - I try to look at things like a total stranger and ask all the dumb questions hoping to stumble on one or two that hadn't been asked before that will reveal a potential risk. I'm currently consulting at a very

Re: Private Key Generation from Passwords/phrases

2007-01-18 Thread Allen
Joseph, The whole issue of entropy is a bit vague for me - I don't normally work at that end of things - so could you point to a good tutorial on the subject, or barring having a reference handy, could you give an overview? Thanks, Allen Joseph Ashwood wrote: - Original Message

Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?

2007-01-18 Thread Allen
, but with proprietary code, fergetit. Closed-source doesn't mean that it is snake-oil. If that was the case, the Microsoft's EFS, and Kerberos implementation would be snake oil too. As I recall there have been a few problems with Kerberos in the past. Best, Allen

Attacking the hash (WAS: Private Key Generation from Passwords/phrases)

2007-01-24 Thread Allen
the long history of industrial espionage in the corporate world I'm sure that there are probably small teams working to collect information that have somewhat more resources than an individual or outsider group might have, making the effort required feasible. Thoughts? Best, Allen Leichter

Re: analysis and implementation of LRW

2007-01-25 Thread Allen
for the lifespan of the person, which could be 70+ years after the medical record is created. Think of the MRI of a kid to scan for some condition that may be genetic in origin and has to be monitored and compared with more recent results their whole life. Thanks, Allen

Re: Private Key Generation from Passwords/phrases

2007-02-04 Thread Allen
an easy attack? Thanks, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: data under one key, was Re: analysis and implementation of LRW

2007-02-05 Thread Allen
Vlad SATtva Miller wrote: Allen wrote on 31.01.2007 01:02: I'll skip the rest of your excellent, and thought provoking post as it is future and I'm looking at now. From what you've written and other material I've read, it is clear that even if the horizon isn't as short as five years

Entropy of other languages

2007-02-05 Thread Allen
the entropy of ideographic languages? Pictographic? Hieroglyphic? Thanks, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: padlocks with backdoors - TSA approved

2007-02-27 Thread Allen
identifiable data in encrypted form in their offices, but when they send me the quote it's in plain text in an e-mail! Thinking through all aspects of the design and application of a security model is mostly lacking as far as I can tell. Best, Allen Hadmut Danisch wrote: Hi, has this been

Cracking the code?

2007-03-03 Thread Allen
, could the attack be generalized so that it could be used against other enterprises that use the same software? (It is very(!) widely deployed), and D) am I missing something in my thinking? Thanks, Allen - The Cryptography

Additional Re: More info in my AES128-CBC question

2007-04-23 Thread Allen
Sorry gang. In my response to David I forgot to provide the link to a brief history of ulcers from the CDC which is very interesting from the point of view of how long it takes for experts to accept evidence. http://www.cdc.gov/ulcer/history.htm Have fun. Allen

Re: More info in my AES128-CBC question

2007-04-26 Thread Allen
of governance and protecting people who hold divergent views or beliefs from intimidation. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Cryptome cut off by NTT/Verio

2007-04-29 Thread Allen
of a plug, but I'm not getting anything for it, just letting people know that there are good folk out there. Best, Allen Bill Squier wrote: On Apr 29, 2007, at 11:47 AM, Perry E. Metzger wrote: Slightly off topic, but not deeply. Many of you are familiar with John Young's Cryptome web site

MORE Re: Cryptome cut off by NTT/Verio

2007-04-29 Thread Allen
will work for at least a few days I imagine: http://cryptome.org/cryptome-shut.htm Okay gang, The URL/URI is http://www.sound-by-design.com/cryptome/Cryptome.htm It has a lot of the shut down stuff down the page a bit. Sorry, no internal links and no images. Allen

STILL MORE Re: Cryptome cut off by NTT/Verio

2007-04-29 Thread Allen
will work for at least a few days I imagine: http://cryptome.org/cryptome-shut.htm Okay gang, I've loaded it at: http://www.sound-by-design.com/cryptome/cryptome-shut.htm Sorry, no images and internal links but at least the bulk is there. Best, Allen

Re: Was a mistake made in the design of AACS?

2007-05-04 Thread Allen
are the downside risks for Sony in doing this? What am I missing in this picture? Thanks, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Was a mistake made in the design of AACS?

2007-05-04 Thread Allen
targets and the ducks are small and have wings. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Ross Anderson paper on fraud, risk and nonbank payment systems

2007-05-12 Thread Allen
themselves are neutral. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

A crazy thought?

2007-05-26 Thread Allen
. This might work if the compromise of the CA happened *after* the original certificate was issued, but what if the compromise was long standing? Is there any way to accomplish this? Thoughts? Best to all, Allen

Re: A crazy thought?

2007-06-09 Thread Allen
cryptography, to assist us in achieving well founded trust relationships. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: A crazy thought?

2007-06-09 Thread Allen
would have to happen before we wouldn't trust *any* public key to represent who we think it does? How will dissident groups keep from getting compromised when fighting oppression? Best, Allen - The Cryptography Mailing

Re: question re practical use of secret sharing

2007-06-23 Thread Allen
enough shares to cover vacations, out of range, and other vagaries of human existence. BTW, on the net is a demo of secret sharing: http://point-at-infinity.org//demo.html Allen Peter Gutmann wrote: Charles Jackson [EMAIL PROTECTED] writes: Is anyone aware of a commercial product

Backdoor Man...

2007-06-30 Thread Allen
for, say John the Ripper on a P4 3GHz with 1GB of memory (or some other commodity level computer) to the tera (soon to be peta it looks like) flop ratings on super computers? Thanks, Allen - The Cryptography Mailing List

Re: a new way to build quantum computers?

2007-08-19 Thread Allen
always loved the old saw, Be careful what you wish for, you just might get it. My addendum is that you will probably not like the unintended consequences. Best, Allen - The Cryptography Mailing List Unsubscribe by sending

In all the talk of super computers there is not...

2007-09-04 Thread Allen
and just renders errors. I'm guessing that even the botnets in current use couldn't do it in any reasonable time frame nor is the storage space available at an affordable price for any but three letter agencies. Am I correct? Allen

Re: flavors of reptile lubricant, was Another Snake Oil Candidate

2007-09-23 Thread Allen
/1401val2006.htm#682 Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Hushmail in U.S. v. Tyler Stumbo

2007-11-06 Thread Allen
for it but few understand that you have to work at it constantly. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: PlayStation 3 predicts next US president

2007-12-03 Thread Allen
William Allen Simpson wrote: [snip] Actually, I deal with notaries regularly. I've always had to physically sign while watched by the notary. They always read the stuff notarized, and my supporting identification, because they are notarizing a signature (not a document). And yes

Re: PlayStation 3 predicts next US president

2007-12-11 Thread Allen
William Allen Simpson wrote: [snip] The whole point of a notary is to bind a document to a person. That the person submitted two or more different documents at different times is readily observable. After all, the notary has the document(s)! No, the notary does not have the documents *after

Re: Death of antivirus software imminent

2008-01-18 Thread Allen
, nails or heads. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: two-person login?

2008-01-30 Thread Allen
of a great tool for introducing security, encryption and similar bits at: http://www.cryptool.org/ I use the tool when teaching classes to executives and even they can get it so you know it is pretty easy to follow. Very well written explanations. Best, Allen

Another NXP Mifare Classic attack

2008-03-15 Thread Allen
http://www.dailyprogress.com/servlet/Satellite?pagename=CDP/MGArticle/CDP_BasicArticlec=MGArticlecid=1173354778618path= The article is not real clear about the level of physical dissection actually used, but it does appear that progress is being made on that front as well. Allen

Re: how to read information from RFID equipped credit cards

2008-03-27 Thread Allen
at as a potential model. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Cruising the stacks and finding stuff

2008-04-23 Thread Allen
double hulls now. But that still didn't prevent the Busan from spilling 58,000 gallons of bunker oil in the San Francisco Bay. If they hadn't had a double hull, how much would the have spilled? Oh, well, given how risk adverse we tend to be it is odd the choices we make. Best, Allen

Re: more on malicious hardware

2008-04-27 Thread Allen
by adventuresome minds to see how *few* gates are needed to compromise a chip's security much like the self replicating code referenced by Ken Thompson in his paper? Best, Allen - The Cryptography Mailing List Unsubscribe

From FDE list...

2008-05-09 Thread Allen
. The agency is not yet ready to announce the results of the test, according to Jan Walker, a spokeswoman for the agency. H Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography

Question re Turing test and image recognition

2008-05-22 Thread Allen
and a cat or a child laughing or just happy and the degree of reliability of the differentiation. I've done a bit of looking around and don't find much. Does anyone have knowledge of or a pointer to someone who might know where to look about this? Thanks, Allen

Re: not crypto, but fraud detection + additional

2008-05-27 Thread Allen
, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: RIM to give in to GAK in India

2008-06-02 Thread Allen
://www.magicjack.com/1/index.asp). The software is: http://zfoneproject.com/getstarted.html Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

The wisdom of the ill informed

2008-06-29 Thread Allen
old K6-II can crack this in less than one minute as there are only 1.11*10^6 possible. You can lead a horse to water Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Re: The wisdom of the ill informed

2008-06-30 Thread Allen
Arshad Noor wrote: While programmers or business=people could be ill-informed, Allen, I think the greater danger is that IT auditors do not know enough about cryptography, and consequently pass unsafe business processes and/or software as being secure. This is the reason why we in the OASIS

Re: The wisdom of the ill informed

2008-06-30 Thread Allen
Nicolas Williams wrote: On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote: Given this, the real question is, /Quis custodiet ipsos custodes?/ Putting aside the fact that cryptographers aren't custodians of anything, it's all about social institutions. Well, I wouldn't say they aren't

Secure voice?

2008-07-05 Thread Allen
was developed by Ogden's Voice Commerce Group in partnership with U.S. speech software firm Nuance Communications. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Upper limit?

2008-07-05 Thread Allen
Is there an upper limit on the number of RSA Public/Private 1024 bit key pairs possible? If so what is the relationship of the number of 1024 bit to the number of 2048 and 4096 bit key pairs? Thanks, Allen - The Cryptography

Re: Dutch chipmaker sues to silence security researchers

2008-07-10 Thread Allen
? Given that those in charge rarely listen in any case, perhaps they are trying to promote stress related health problems in a secret conspiracy with doctors. ;- Best, Allen - The Cryptography Mailing List Unsubscribe by sending

[Fwd: [ekmi] Public Review of SKSML v1.0]

2008-07-25 Thread Allen
because of a lack of oversight by the general cryptography community. Best Regards, Allen Original Message Subject: [ekmi] Public Review of SKSML v1.0 Date: Thu, 24 Jul 2008 22:04:49 -0400 From: Mary McRae [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Organization: OASIS

Is snake oil cryptography trans-fat free?

2008-08-15 Thread Allen
Yet more that is implausible: http://www.securstar.com/products_drivecrypt.php Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Extended certificate error

2008-08-18 Thread Allen
expired. I'm running Firefox 3.01, and Java 6 Update 7. The error appears to be with Java as that is the window that pops up. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Re: Extended certificate error

2008-08-19 Thread Allen
Peter Gutmann wrote: Allen [EMAIL PROTECTED] writes: I just got a warning that a certificate had expired and yet the data in it says: [From: Tue Aug 05 17:00:00 PDT 2003, To: Mon Aug 05 16:59:59 PDT 2013] The error message says: The digital signature was generated with a trusted

OpenSSH compromise at Red Hat

2008-08-26 Thread Allen
I'm a bit surprised no one has mentioned the Red Hat server being hacked and the certificated being compromised on Fedora. http://www.eweek.com/c/a/Security/Red-Hat-Digital-Keys-Violated-By-Intruder/ Best, Allen

Quiet in the list...

2008-09-06 Thread Allen
?search=0xBB678C30op=index Yes, I regard the combination of Thunderbird + Enigmail + GPG as the best existing solution for secure email. What does anyone think of of the combo? Best, Allen - The Cryptography Mailing List

Re: street prices for digital goods?

2008-09-11 Thread Allen
? Thanks, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

[Fwd: [announce] THC releases video and tool to backup/modify ePassports]

2008-10-24 Thread Allen
We knew it was coming, right? Original Message Subject: [announce] THC releases video and tool to backup/modify ePassports Date: Mon, 29 Sep 2008 10:00:26 + From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] http://freeworld.thc.org/thc-epassport/ 29th September 2008

Re: Attacking networks using DHCP, DNS - probably kills DNSSEC

2003-06-30 Thread William Allen Simpson
both the user and administrator configure a per host secret was apparently out of the question. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 - The Cryptography Mailing List

Re: Reliance on Microsoft called risk to U.S. security

2003-09-28 Thread William Allen Simpson
! -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Feds admit error in hacking conviction

2003-10-17 Thread William Allen Simpson
for a reversal. It's pretty damn rare, he said. I have never seen it happen. ... -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 - The Cryptography Mailing List Unsubscribe by sending

US Court says no privacy in wiretap law

2004-07-01 Thread William Allen Simpson
phone conversations that are temporarily stored in electronic routers during transmission. [page 51-52] As this is a US Court of Appeals, it sets precedent that other courts will use, and directly applies to all ISPs in the NE US. -- William Allen Simpson Key fingerprint = 17 40 5E 67

Re: entropy depletion

2005-01-09 Thread William Allen Simpson
and magic numbers, generally transmitted verbatum. However, since we have a ready source of non-blocking keying material in /dev/urandom, it seems to be better to use that instead of the blocking critical resource -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9

Re: entropy depletion

2005-01-26 Thread William Allen Simpson
on the chin, and stick in the random(5) page the description of how reliable the device meets the requirement. (This might be a resend, my net was dropping all sorts of stuff today and I lost the original.) That's OK, the writing was clearer the second time around. -- William Allen Simpson Key

Re: Simson Garfinkel analyses Skype - Open Society Institute

2005-01-28 Thread Mark Allen Earnest
be different if they are wrongfully assuming that their communications are encrypted by what they believe is strong encryption when if fact it may be very very low. -- Mark Allen Earnest Lead Systems Programmer Emerging Technologies The Pennsylvania State University smime.p7s Description: S/MIME

Re: Dell to Add Security Chip to PCs

2005-02-05 Thread Mark Allen Earnest
spoofing useless if they decide to make it so that only IE could connect to ISS. Again though, doing so would piss off a great many of their customers, some of who are slowly jumping ship to other solutions anyway. -- Mark Allen Earnest Lead Systems Programmer Emerging Technologies The Pennsylvania

Re: encrypted tapes (was Re: Papers about Algorithm hiding ?)

2005-06-07 Thread Mark Allen Earnest
in return. -- Mark Allen Earnest Lead Systems Programmer Emerging Technologies The Pennsylvania State University Lt Commander Centre County Sheriff's Office Search and Rescue KB3LYB smime.p7s Description: S/MIME Cryptographic Signature

Re: [Clips] Does Phil Zimmermann need a clue on VoIP?

2005-08-06 Thread Mark Allen Earnest
PK with PKI. Almost NOBODY has ever done PKI right. The I is the part everyone conveniently forgets when they claim otherwise. -- Mark Allen Earnest Lead Systems Programmer Emerging Technologies The Pennsylvania State University KB3LYB smime.p7s Description: S/MIME Cryptographic Signature

Re: The summer of PKI love

2005-08-12 Thread Mark Allen Earnest
in practice for trust. -- Mark Allen Earnest Lead Systems Programmer Emerging Technologies The Pennsylvania State University KB3LYB smime.p7s Description: S/MIME Cryptographic Signature

European country forbids its citizens from smiling for passport photos

2005-09-17 Thread William Allen Simpson
for prime time. (seen at http://isthatlegal.org) -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Re: ISAKMP flaws?

2005-11-17 Thread William Allen Simpson
considerations. Compare with Photuris [RFC-2522], where undergraduate (Keromytis) and graduate (Spatscheck, Provos) students independently were able to complete interoperable implementations (in their spare time) in a month or so So, no, some security folks didn't ignore this ;-) -- William Allen

Re: ISAKMP flaws?

2005-11-18 Thread William Allen Simpson
. Again, the ISAKMP flaws were foreseeable and avoidable. And Photuris was written before the existence of ISAKMP. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 - The Cryptography

Re: ISAKMP flaws?

2005-11-19 Thread William Allen Simpson
is the community to replace ISAKMP with something more robust? Provos' Photuris code could be running on all the BSDs in a few months. Maybe sooner, were payment involved. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32

Re: Linux RNG paper

2006-04-10 Thread William Allen Simpson
]): Date: Sun, 15 Aug 1999 10:00:01 -0400 From: William Allen Simpson [EMAIL PROTECTED] Catching up, and after talking with John Kelsey and Sandy Harris at SAC'99, it seems clear that there is some consensus on these lists that the semantics of /dev/urandom need improvement

Internet Identity Workshop (IIW) May 1-3, 2006

2006-04-17 Thread William Allen Simpson
? -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: what's wrong with HMAC?

2006-05-02 Thread William Allen Simpson
. Of course, AFAICT, the trailing key makes the various recent attacks on MD5 and SHA1 entirely inapplicable. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 - The Cryptography Mailing

Re: NSA knows who you've called.

2006-05-12 Thread William Allen Simpson
Perry E. Metzger wrote: http://www.usatoday.com/news/washington/2006-05-10-nsa_x.htm Legal analysis from Center for Democracy and Technology at: http://www.cdt.org/publications/policyposts/2006/8 -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32

IKE resource exhaustion at 2 to 10 packets per second

2006-07-27 Thread William Allen Simpson
http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html The vulnerability allows an attacker to exhaust the IKE resources on a remote VPN concentrator by starting new IKE sessions faster than the concentrator expires them from its queue. By doing this, the attacker fills up the

Re: Security Implications of Using the Data Encryption Standard (DES)

2006-12-28 Thread William Allen Simpson
Leichter, Jerry wrote: | note that there have been (at least) two countermeasures to DES brute-force | attacks ... one is 3DES ... and the other ... mandated for some ATM networks, | has been DUKPT. while DUKPT doesn't change the difficulty of brute-force | attack on single key ... it creates a

Re: Linus: Security is people wanking around with their opinions

2007-10-02 Thread William Allen Simpson
I often say, Rub a pair of cryptographers together, and you'll get three opinions. Ask three, you'll get six opinions. :-) However, he's talking about security, which often isn't quantifiable! And don't get me ranting about provable security Had a small disagreement with somebody at

Re: PlayStation 3 predicts next US president

2007-12-02 Thread William Allen Simpson
James A. Donald wrote: This attack does not require the certifier to be compromised. You are referring to a different page (that I did not reference). Never-the-less, both attacks require the certifier to be compromised! The attack was to generate a multitude of predictions for the US

Re: PlayStation 3 predicts next US president

2007-12-02 Thread William Allen Simpson
Weger, B.M.M. de wrote: The parlor trick demonstrates a weakness of the pdf format, not MD5. I disagree. We could just as easy have put the collision blocks in visible images. Parlor trick. ... We could just as easy have used MS Word documents, or any document format in which there is some

Re: PlayStation 3 predicts next US president

2007-12-03 Thread William Allen Simpson
James A. Donald wrote: Not true. Because they are notarizing a signature, not a document, they check my supporting identification, but never read the document being signed. This will be my last posting. You have refused several requests to stick to the original topic at hand. Apparently,

Re: PlayStation 3 predicts next US president

2007-12-03 Thread William Allen Simpson
Weger, B.M.M. de wrote: See http://www.win.tue.nl/hashclash/TargetCollidingCertificates/ ... Our first chosen-prefix collision attack has complexity of about 2^50, as described in our EuroCrypt 2007 paper. This has been considerably improved since then. In the full paper that is in preparation

Re: PlayStation 3 predicts next US president

2007-12-09 Thread William Allen Simpson
Personally, I thought this horse was well drubbed, but the moderator let this message through, so he must think it important to continue James A. Donald wrote: William Allen Simpson wrote: The notary would never sign a hash generated by somebody else. Instead, the notary generates its

Re: PlayStation 3 predicts next US president

2007-12-10 Thread William Allen Simpson
Francois Grieu wrote: That's because if Tn is known (including chosen) to some person, then (due to the weakness in MD5 we are talking about), she can generate Dp and Dp' such that S( MD5(Tn || Dp || Cp || Cn) ) = S( MD5(Tn || Dp' || Cp || Cn) ) whatever Cp, Cn and S() are. First of all, the

Re: RNG for Padding

2008-03-16 Thread William Allen Simpson
We had many discussions about this 15 years ago You usually have predictable plaintext. A cipher that isn't strong enough against a chosen/known plaintext attack has too many other protocol problems to worry about mere padding! For IPsec, we originally specified random padding with 1

Re: On the unpredictability of DNS

2008-07-31 Thread William Allen Simpson
I've changed the subject. Some of my own rants are about mathematical cryptographers that are looking for the perfect solution, instead of practical security solution. Always think about the threat first! In this threat environment, the attacker is unlikely to have perfect knowledge of the

Re: On the unpredictability of DNS

2008-08-09 Thread William Allen Simpson
It seems like enough time has passed to post publicly, as some of these are now common knowledge: Ben Laurie wrote: William Allen Simpson wrote: Keep in mind that the likely unpredictability is about 2**24. In many or most cases, that will be implementation limited to 2**18 or less. Why

Re: once more, with feeling.

2008-09-10 Thread William Allen Simpson
James A. Donald wrote: Peter Gutmann wrote: Unfortunately I think the only way it (and a pile of other things as well) may get stamped out is through a multi-pronged approach that includes legislation, and specifically properly thought-out requirements I agree. I'm sure this is a

Re: AES HDD encryption was XOR

2008-12-08 Thread William Allen Simpson
Jerry Leichter wrote: ... accurately states that AES-128 is thought to be secure within the state of current and expected cryptographic knowledge, it propagates the meme of the short key length of only 128 bits. A key length of 128 bits is beyond any conceivable brute force attack - in and

Re: CPRNGs are still an issue.

2008-12-16 Thread William Allen Simpson
Perry E. Metzger wrote: [Snip admirably straightforward threat and requirements analysis] Yes, you can attempt to gather randomness at run time, but there are endless ways to screw that up -- can you *really* tell if your random numbers are random enough? -- and in a cheap device with low

Re: Possibly questionable security decisions in DNS root management

2009-10-20 Thread William Allen Simpson
Nicolas Williams wrote: Getting DNSSEC deployed with sufficiently large KSKs should be priority #1. I agree. Let's get something deployed, as that will lead to testing. If 90 days for the 1024-bit ZSKs is too long, that can always be reduced, or the ZSK keylength be increased -- we too can

Re: [Cryptography] Evaluating draft-agl-tls-chacha20poly1305

2013-09-10 Thread William Allen Simpson
It bugs me that so many of the input words are mostly zero. Using the TLS Sequence Number for the nonce is certainly going to be mostly zero bits. And the block counter is almost all zero bits, as you note, (In the case of the TLS, limits on the plaintext size mean that the first counter

Re: [Cryptography] Evaluating draft-agl-tls-chacha20poly1305

2013-09-11 Thread William Allen Simpson
On 9/11/13 6:00 AM, Alexandre Anzala-Yamajako wrote: Chacha20 being a stream cipher, the only requirement we have on the ICV is that it doesn't repeat isn't ? You mean IV, the Initialization Vector. ICV is the Integrity Check Value, usually 32-64 bits appended to the packet. Each is

Re: [Cryptography] Evaluating draft-agl-tls-chacha20poly1305

2013-09-11 Thread William Allen Simpson
On 9/11/13 10:27 AM, Adam Langley wrote: [attempt two, because I bounced off the mailing list the first time.] On Tue, Sep 10, 2013 at 9:35 PM, William Allen Simpson william.allen.simp...@gmail.com wrote: Why generate the ICV key this way, instead of using a longer key blob from TLS

Re: [Cryptography] Evaluating draft-agl-tls-chacha20poly1305

2013-09-11 Thread William Allen Simpson
On 9/11/13 10:37 AM, Adam Langley wrote: On Tue, Sep 10, 2013 at 10:59 PM, William Allen Simpson william.allen.simp...@gmail.com wrote: Or you could use 16 bytes, and cover all the input fields There's no reason the counter part has to start at 1. It is the case that most of the bottom

Re: [Cryptography] Key stretching

2013-10-12 Thread William Allen Simpson
On 10/11/13 7:34 PM, Peter Gutmann wrote: Phillip Hallam-Baker hal...@gmail.com writes: Quick question, anyone got a good scheme for key stretching? http://lmgtfy.com/?q=hkdfl=1 Yeah, that's a weaker simplification of the method I've always advocated, stopping the hash function before the