Re: "PGP Encryption Proves Powerful"

2003-05-31 Thread Anton Stiglic
So what happened to passphrase guessing? That's got to be one of the weakest links. Unless their private key wasn't stored on the device? --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography

Re: Security of DH key exchange

2003-06-20 Thread Anton Stiglic
- Original Message - From: "Jaap-Henk Hoepman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 20, 2003 5:02 AM Subject: Security of DH key exchange > > In practice the following method of exchanging keys using DH is used, to ensure > bit security of the resulting session

Re: pubkeys for p and g

2003-06-26 Thread Anton Stiglic
I'm not certain I understand your questions, but here are some answers (I think). In the DH protocol you have what we call public parameters, p and g. p is a large prime integer, which defines a group Z*p, g is a generator which defines a subgroup in Z*p. You can use fix values for p an g. Now, par

Re: Fwd: [IP] A Simpler, More Personal Key to Protect Online Messages

2003-07-09 Thread Anton Stiglic
- Original Message - From: "Whyte, William" <[EMAIL PROTECTED]> [...] > But you don't have to contact the CA to get someone's certificate. > A standard way is to send them an email saying "can you send me > a signed message?" Yes, that works. When I want someone to send me confidential

Re: replay & integrity

2003-07-09 Thread Anton Stiglic
> Integrity: Financial protocols that use crypto > (as opposed to ones abused by crypto) generally > include signed messages. The signature provides > for its own integrity, as well as a few other > things. I don't believe that is enough. Take for example the SSL 2.0 ciphersuite rollback vulner

Re: Looking for an N -out-of-M split algorithm

2003-07-16 Thread Anton Stiglic
> Does anyone have any idea where I might learn about this algorithm - or > indeed any algorithm which does the job. Just as Perry mentioned, look into Shamir Secret Sharing. There are also implementations of this, see for example http://www.astro.gla.ac.uk/users/norman/distrib/tontine.html (I'm

Re: PRNG design document?

2003-08-25 Thread Anton Stiglic
> "Software Generation of Practically Strong Random Numbers" by Peter > Gutmann > > http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix98.pdf > > and the followup: > > http://www.cypherpunks.to/~peter/06_random.pdf > > David That's a good reference on PRNGs. There is also the work on Yarrow, h

Re: PRNG design document?

2003-08-27 Thread Anton Stiglic
- Original Message - From: "Bob Baldwin PlusFive" <[EMAIL PROTECTED]> To: "Tim Dierks" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, August 22, 2003 1:00 PM Subject: Re: PRNG design document? > Tim, > One issue to consider is whether the system > that includes the PRNG

Re: PRNG design document?

2003-09-02 Thread Anton Stiglic
- Original Message - From: "Thor Lancelot Simon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 29, 2003 3:45 PM Subject: Re: PRNG design document? > On Fri, Aug 29, 2003 at 11:27:41AM +0100, Ben Laurie wrote: > > > > > > As you mentioned, the FIPS-140-2 approved PRNG

Re: PRNG design document?

2003-09-02 Thread Anton Stiglic
> Allow me to clarify my problem a little. I'm commonly engaged to review > source code for a security audit, some such programs include a random > number generator, many of which are of ad-hoc design. The nature of such > audits is that it's much more appealing to be able to say "here are three >

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-05 Thread Anton Stiglic
Really exiting news. If I'm not mistaken, this would be the first free, open-source, crypto library that has FIPS 140 module certification! Other free open-source libraries have algorithms that have been FIPS 140 certified, but the whole module hasn't been certified (exemple Cryptlib and Crypto++

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-05 Thread Anton Stiglic
> On Fri, Sep 05, 2003 at 01:32:21PM -0400, Anton Stiglic wrote: > > If I'm not mistaken, this would be the first free, > > open-source, crypto library that has FIPS 140 module certification! > > I believe that this is incorrect. > > The two open-source proj

Re: cryptographic ergodic sequence generators?

2003-09-08 Thread Anton Stiglic
> [...] > The Yarrow RNG uses counter-mode as a PRNG. However in the paper they > describe some effects you may want to avoid by re-keying depending on > your application as the stream becomes distinguishable from random > output. > > Adam This is essentially because if your output sequence of n-

Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Anton Stiglic
>- Original Message - >From: "John Doe Number Two" <[EMAIL PROTECTED]> >To: "R. A. Hettinga" <[EMAIL PROTECTED]>; "Clippable" <[EMAIL PROTECTED]> >Cc: <[EMAIL PROTECTED]> >Sent: Sunday, September 07, 2003 6:45 PM >Subject: Re: Code breakers crack GSM cellphone encryption > >It's nice to

Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Anton Stiglic
- Original Message - From: "Greg Rose" <[EMAIL PROTECTED]> To: "Anton Stiglic" <[EMAIL PROTECTED]> Cc: "John Doe Number Two" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, September 08, 2003 1:39 PM Subject: Re: Code break

Re: End of the line for Ireland's dotcom star

2003-09-24 Thread Anton Stiglic
> Why is it that none of those 100-odd companies with keys in the browsers > are doing anything with them? Verisign has such a central role in > the infrastructure, but any one of those other companies could compete. > Why isn't anyone undercutting Verisign's prices? Look what happened with > Th

Re: VeriSign tapped to secure Internet voting

2003-10-02 Thread Anton Stiglic
> Schu stressed that several layers of security will prevent hackers from > accessing the system. VeriSign will house the security servers in its own > hosting centers. The company will ask military personnel to use their > Common Access Cards--the latest form of ID for the military--to access > th

Re: anonymous DH & MITM

2003-10-03 Thread Anton Stiglic
- Original Message - From: "Tim Dierks" <[EMAIL PROTECTED]> > > I think it's a tautology: there's no such thing as MITM if there's no such > thing as identity. You're talking to the person you're talking to, and > that's all you know. That seems to make sense. In anonymity providing s

Re: DH with shared secret

2003-10-03 Thread Anton Stiglic
- Original Message - From: "Jack Lloyd" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 03, 2003 5:13 AM Subject: DH with shared secret > This was just something that popped into my head a while back, and I was > wondering if this works like I think it does. And who ca

Re: anonymous DH & MITM

2003-10-03 Thread Anton Stiglic
- Original Message - From: "Jerrold Leichter" <[EMAIL PROTECTED]> > [...] > | > I think it's a tautology: there's no such thing as MITM if there's no such > | > thing as identity. You're talking to the person you're talking to, and > | > that's all you know. > | > | That seems to make se

Re: how to defeat MITM using plain DH, Re: anonymous DH & MITM

2003-10-06 Thread Anton Stiglic
- Original Message - From: "Ed Gerck" <[EMAIL PROTECTED]> To: "Anton Stiglic" <[EMAIL PROTECTED]> Cc: "Jerrold Leichter" <[EMAIL PROTECTED]>; "Cryptography list" <[EMAIL PROTECTED]>; "Tim Dierks" <[EMAIL PROTECT

Re: anonymity +- credentials

2003-10-06 Thread Anton Stiglic
- Original Message - From: "bear" <[EMAIL PROTECTED]> To: "John S. Denker" <[EMAIL PROTECTED]> Cc: "R. A. Hettinga" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, October 03, 2003 6:05 PM Subject: Re: anonymity +- credentials > > > On Fri, 3 Oct 2003, John S. Denker wrote: > > >

Re: anonymous DH & MITM

2003-10-06 Thread Anton Stiglic
- Original Message - From: "Jerrold Leichter" <[EMAIL PROTECTED]> To: "Anton Stiglic" <[EMAIL PROTECTED]> Cc: "Jerrold Leichter" <[EMAIL PROTECTED]>; "Cryptography list" <[EMAIL PROTECTED]>; "Tim Dierks" <[EMAIL

Re: anonymous DH & MITM

2003-10-06 Thread Anton Stiglic
- Original Message - From: "Jerrold Leichter" <[EMAIL PROTECTED]> To: "Tim Dierks" <[EMAIL PROTECTED]> Cc: "Jerrold Leichter" <[EMAIL PROTECTED]>; "Cryptography list" <[EMAIL PROTECTED]> Sent: Friday, October 03, 2003 8:19 PM Subject: Re: anonymous DH & MITM > | From: Tim Dierks <[EMAIL

Re: anonymity +- credentials

2003-10-07 Thread Anton Stiglic
- Original Message - From: "Ian Grigg" <[EMAIL PROTECTED]> > [...] > In terms of actual "practical" systems, ones > that implement to Brands' level don't exist, > as far as I know? There were however several projects that implemented and tested the credentials system. There was CAFE

Re: NCipher Takes Hardware Security To Network Level

2003-10-07 Thread Anton Stiglic
- Original Message - From: "Peter Gutmann" <[EMAIL PROTECTED]> > [...] > If you think that's scary, look at Microsoft's CryptoAPI for Windows XP FIPS > 140 certification. As with physical security certifications like BS 7799, you > start by defining your security perimeter, defining ever

Re: NCipher Takes Hardware Security To Network Level

2003-10-07 Thread Anton Stiglic
- Original Message - From: "Peter Gutmann" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, October 07, 2003 11:07 AM Subject: Re: NCipher Takes Hardware Security To Network Level > "Anton Stiglic" <[EMAIL

Re: NCipher Takes Hardware Security To Network Level

2003-10-11 Thread Anton Stiglic
- Original Message - From: "Peter Gutmann" <[EMAIL PROTECTED]> > [...] > > The problem is > that what we really need to be able to evaluate is how committed a vendor is > to creating a truly secure product. > [...] I agree 100% with what you said. Your 3 group classification seems accur

Re: Internal format of RSA private keys in microsoft keystore.

2003-10-15 Thread Anton Stiglic
- Original Message - From: "R.Sriram" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 10, 2003 1:20 AM Subject: Internal format of RSA private keys in microsoft keystore. > Greetings, > > In the process of trying to work around some of the limitations > of the m$-CAPI

Re: NCipher Takes Hardware Security To Network Level

2003-10-15 Thread Anton Stiglic
- Original Message - From: "Ian Grigg" <[EMAIL PROTECTED]> > * In contrast, someone who knows little about cars, > can objectively evaluate a car. They can take it > for a test drive and see if it feels right. Using > it is proving it. I'm not totally convinced of this... Someone wit

Re: SSL, client certs, and MITM (was WYTM?)

2003-11-12 Thread Anton Stiglic
- Original Message - From: "Tom Otvos" <[EMAIL PROTECTED]> > As far as I can glean, the general consensus in WYTM is that MITM attacks are very low (read: > inconsequential) probability. I'm not certain this was the consensus. We should look at the scenarios in which this is possible,

Re: SSL, client certs, and MITM (was WYTM?)

2003-11-12 Thread Anton Stiglic
> I'm not sure how you come to that conclusion. Simply > use TLS with self-signed certs. Save the cost of the > cert, and save the cost of the re-evaluation. > > If we could do that on a widespread basis, then it > would be worth going to the next step, which is caching > the self-signed certs,

Re: A-B-a-b encryption

2003-11-19 Thread Anton Stiglic
- Original Message - From: "Jeremiah Rogers" <[EMAIL PROTECTED]> To: "crypto list" <[EMAIL PROTECTED]> Sent: Sunday, November 16, 2003 12:50 PM Subject: Re: A-B-a-b encryption > This is Shamir's Three-Pass Protocol, described in section 22.3 of > Schneier. It requires a commutative crypt

Re: Are there...one-way encryption algorithms

2003-11-19 Thread Anton Stiglic
"David Wagner" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > martin f krafft wrote: > >it came up lately in a discussion, and I couldn't put a name to it: > >a means to use symmetric crypto without exchanging keys: > > > > - Alice encrypts M with key A and sends it to Bob > > -

Re: Problems with GPG El Gamal signing keys?

2003-11-27 Thread Anton Stiglic
- Original Message - From: "Perry E.Metzger" <[EMAIL PROTECTED]> > Some notes have been floating around claiming that there are bugs in > GPG's use of El Gamal keys. For example, see: > http://groups.google.com/groups?selm=E1AOvTM-0001nY-00%40alberti.g10code.de&oe=UTF-8&output=gplain > >

Re: Problems with GPG El Gamal signing keys?

2003-12-01 Thread Anton Stiglic
- Original Message - From: "Ralf Senderek" <[EMAIL PROTECTED]> To: "Werner Koch" <[EMAIL PROTECTED]>; "cryptography" <[EMAIL PROTECTED]> Sent: Thursday, November 27, 2003 11:23 AM Subject: Re: Problems with GPG El Gamal signing keys? > On Thu, 27 Nov 2003, Werner Koch wrote: > > > Yes,

Re: safety of Pohlig-Hellman with a common modulus?

2003-12-07 Thread Anton Stiglic
- Original Message - From: "Peter Fairbrother" <[EMAIL PROTECTED]> To: "David Wagner" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Saturday, December 06, 2003 7:58 PM Subject: Re: safety of Pohlig-Hellman with a common modulus? > David Wagner wrote: > > > Steve Bellovin wrote: > >> I

Re: yahoo to use public key technology for anti-spam

2003-12-07 Thread Anton Stiglic
- Original Message - From: "Carl Ellison" <[EMAIL PROTECTED]> To: "'Will Rodger'" <[EMAIL PROTECTED]>; "'Steve Bellovin'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, December 07, 2003 8:44 AM Subject: RE: yahoo to use public key technology for anti-spam > I, for one, hate the

Re: yahoo to use public key technology for anti-spam

2003-12-09 Thread Anton Stiglic
- Original Message - From: "Steven M. Bellovin" <[EMAIL PROTECTED]> > I use a variety of email addresses, for various reasons. I have my > usual work account, some university accounts, a few personal accounts, > one I reserve for EBay use, etc. I also use several different SMTP > se

Re: "Zero Knowledge Authentication"? (was Cryptolog Unicity Software-Only Digital Certificates)

2003-12-14 Thread Anton Stiglic
> Previously used primarily in scientific/academic applications, "zero > knowledge" authentication is a method of proving a user's identity without > revealing his password to the verifier. So anybody knows exactly what this zero-knowledge authentication is that they use? > Using this technology,

Re: Postgraduate programs

2003-12-14 Thread Anton Stiglic
>Good day, > I wonder if you could suggest some of the best postgraduate programs focusing on crypto related themes in the world? >I am making research that will relate schools, security advances and government policies on several countries and knowing your suggestions >on good schools is a key com

Re: PKI root signing ceremony, etc.

2003-12-15 Thread Anton Stiglic
> Some folks here might be interested in >http://webservices.xml.com/pub/a/ws/2003/12/09/salz.html > which walks through a secure, auditable root keygen and signing ceremony. We had something similar going on at Zeroknowlege Systems for the PKI of the Freedom servers. But the password that pr

Re: CIA - the cryptographer's intelligent aid?

2004-01-07 Thread Anton Stiglic
The thing about CIA is that it is commonly used in security (not cryptography) courses to mean Confidentiality, Integrity (of systems) and Availability (instead of Authentication). Availability of systems, services and information. For crypto I always talked about CAIN or PAIN (like in no PAIN no

Re: Any good books or URLs for WinXP crypto & security?

2004-01-07 Thread Anton Stiglic
NSA Windows hardening guides: http://nsa2.www.conxion.com/ --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: [Fwd: Re: Non-repudiation (was RE: The PAIN mnemonic)]

2004-01-08 Thread Anton Stiglic
- Original Message - From: "Jerrold Leichter" <[EMAIL PROTECTED]> Cc: "Cryptography" <[EMAIL PROTECTED]> Sent: Wednesday, January 07, 2004 7:14 AM Subject: Re: [Fwd: Re: Non-repudiation (was RE: The PAIN mnemonic)] > Now that we've trashed non-repudiation ... just how is it different fr

Re: [Mac_crypto] Apple should use SHA! (or stronger) to authenticate software releases

2004-04-05 Thread Anton Stiglic
The attacks by Dobbertin on MD5 only allow to find collisions in the compression function, not the whole MD5 hash. But it is a sign that something might be fishy about MD5. MD5 output is 128 bits. There are two types of collision finding attacks that can be applied. In the first you are given

Re: [Mac_crypto] Apple should use SHA! (or stronger) to authenticate software releases

2004-04-06 Thread Anton Stiglic
> > But if you are given the choice between using MD5 and SHA1, I'd prefer > > SHA1, but I wouldn't be concerned with someone using MD5 isntead of SHA1 > > for the time being. In other words, if I were to do a risk analysis, I would > > identify > > the use of MD5 instead of SHA1 as one of the maj

Re: Is there a Brands certificate reference implementation?

2004-05-08 Thread Anton Stiglic
Stefan Brands started his own company, http://www.credentica.com/ There isn't much on the web site yet, but if you click on the image you get the info email address. The code that was developed for Brands credentials at ZKS was never released. There was also code written during the ESPRIT proje

Re: The future of security

2004-05-26 Thread Anton Stiglic
- Original Message - From: "Steven M. Bellovin" <[EMAIL PROTECTED]> To: "Ian Grigg" <[EMAIL PROTECTED]> Cc: "Graeme Burnett" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, May 11, 2004 11:36 AM Subject: Re: The future of security > In message <[EMAIL PROTECTED]>, Ian Grigg wri

Re: SSL accel cards

2004-05-26 Thread Anton Stiglic
> > Does anyone know of an SSL acceleration card that actually works under > Linux/*BSD? I successfully used a Broadcom PCI card on a Linux (don't remember what Linux and kernel version, this was close to 2 years ago). If I remember correctly it was the BCM5820 processor I used http://www.broadcom

RE: recommendations/evaluations of free / low-cost crypto libraries

2004-06-22 Thread Anton Stiglic
A list can be found here http://www.homeport.org/~adam/crypto/ There are several things that you might want to consider, other than the language in which the library was written of course. You might want to consider the cryptographic algorithms that are supported, and support for standards such

RE: recommendations/evaluations of free / low-cost crypto libraries

2004-06-30 Thread Anton Stiglic
>-Original Message- >From: [EMAIL PROTECTED] [mailto:owner->[EMAIL PROTECTED] On Behalf Of Peter Gutmann >Sent: 29 juin 2004 09:49 >To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] >Subject: RE: recommendations/evaluations of free / low-cost crypto >librar

RE: authentication and authorization (was: Question on the state of the security industry)

2004-07-07 Thread Anton Stiglic
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Denker Sent: 1 juillet 2004 14:27 To: [EMAIL PROTECTED] Cc: Ian Grigg Subject: Re: authentication and authorization (was: Question on the state of the security industry) >1) For starters, "identity theft

RE: authentication and authorization

2004-07-07 Thread Anton Stiglic
>-Original Message- >From: John Denker [mailto:[EMAIL PROTECTED] >Sent: 5 juillet 2004 18:28 >To: Anton Stiglic >Cc: [EMAIL PROTECTED]; 'Ian Grigg' >Subject: Re: authentication and authorization >[...] >We should assume that the participants on

RE: authentication and authorization (was: Question on the state of the security industry)

2004-07-08 Thread Anton Stiglic
>However, in some scenarios >http://www.garlic.com/~lynn/2001h.html#61 >the common use of static data is so pervasive that an individual's >information >is found at thousands of institutions. The value of the information to the >criminal is that the same information can be used to perpetrate fraud

RE: identification + Re: authentication and authorization

2004-07-09 Thread Anton Stiglic
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Gerck Sent: 7 juillet 2004 14:46 To: [EMAIL PROTECTED] Subject: identification + Re: authentication and authorization >I believe that a significant part of the problems discussed here is that >the three

RE: EZ Pass and the fast lane ....

2004-07-13 Thread Anton Stiglic
My 2 cents on the subject... The automatic toll fee system I am most familiar with is that of Kapsh (used to be Combitech). They have implemented automatic toll fee collection in many countries around the world (in Europe, Asia, Australia, south America)... http://www.kapsch.se/ I think they u

RE: Humorous anti-SSL PR

2004-07-15 Thread Anton Stiglic
>This barely deserves mention, but is worth it for the humor: >"Information Security Expert says SSL (Secure Socket Layer) is Nothing More >Than a Condom that Just Protects the Pipe" >http://www.prweb.com/releases/2004/7/prweb141248.htm The article says "The weaknesses of SSL implementations have

RE: Verifying Anonymity

2004-07-16 Thread Anton Stiglic
>> [...] I find it hard to imagine how you >> can even know whether it "seems to work", let alone has some subtle >> problem. > >That's clearly a much harder problem--and indeed I suspect it's behind >the general lack of interest that the public has shown in anonymous >systems. > >-Ekr The lack o

RE: New Attack on Secure Browsing

2004-07-16 Thread Anton Stiglic
>You stated that http://www.pgp.com is an SSL-protected page, but did you >mean https://www.pgp.com? On my Powerbook, with all the browsers I get an >error that the certificate is wrong and they end up at http://www.pgp.com. What I get is a bad certificate, and this is due to the fact that the ce

RE: dual-use digital signature vulnerability

2004-07-21 Thread Anton Stiglic
About using a signature key to only sign contents presented in a meaningful way that the user supposedly read, and not random challenges: The X.509 PoP (proof-of-possession) doesn't help things out, since a public key certificate is given to a user by the CA only after the user has demonstrated t

RE: Microsoft .NET PRNG (fwd)

2004-08-10 Thread Anton Stiglic
There is some detail in the FIPS 140 security policy of Microsoft's cryptographic provider, for Windows XP and Windows 2000. See for example http://csrc.nist.gov/cryptval/140-1/140sp/140sp238.pdf where they say the RNG is based on FIPS 186 RNG using SHS. The seed is based on the collection of al

RE: Microsoft .NET PRNG (fwd)

2004-08-12 Thread Anton Stiglic
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Gerck Sent: 10 août 2004 13:42 To: [EMAIL PROTECTED] Subject: Re: Microsoft .NET PRNG (fwd) >The PRNG should be the least concern when using MSFT's cryptographic >provider. The MSFT report 140sp238.pdf s

RE: Maths holy grail could bring disaster for internet

2004-09-08 Thread Anton Stiglic
>Mathematicians could be on the verge of solving two separate million dollar >problems. If they are right - still a big if - and somebody really has >cracked the so-called Riemann hypothesis, financial disaster might follow. >Suddenly all cryptic codes could be breakable. No internet transaction >w

New IBM Thinkpad includes biometrics

2004-10-19 Thread Anton Stiglic
http://www.theregister.co.uk/2004/10/05/biometric_thinkpad_t42/ I wonder how well it can counter the attacks discussed by researchers in the last few years. Like reactivating a fingerprint authentication by breathing on the sensor's surface containing residue fat traces of the finger, or placing

RE: SSL/TLS passive sniffing

2004-12-05 Thread Anton Stiglic
>This sounds very confused. Certs are public. How would knowing a copy >of the server cert help me to decrypt SSL traffic that I have intercepted? I found allot of people mistakenly use the term certificate to mean something like a pkcs12 file containing public key certificate and private key.

RE: The Pointlessness of the MD5 "attacks"

2005-01-04 Thread Anton Stiglic
>David Wagner wrote: >> Ben Laurie writes: > > >> Or, even more contrived, imagine that img1.jpg looks >> like a completely normal JPG file, but img2.jpg exploits some buffer >> overrun in the startup screen's JPG decoder to overwrite the program's >> image with some other malicious code. >> >> Su

Re: Fermat's primality test vs. Miller-Rabin

2005-11-10 Thread Anton Stiglic
>> I guess the small increase in efficiency would not be worth additional >> program code. > > That depends on the size of the numbers you're working with... > Considering the research that goes into fast implementations of > PowerMod I don't think the required computation is trivial. > >> Although

Re: Fermat's primality test vs. Miller-Rabin

2005-11-10 Thread Anton Stiglic
>> Although the Carmichael numbers fool the Fermat test >> (that is, $a^{n-1} = 1 (n)$) for *all* a, there are no such things for >> the Miller-Rabin test: for any odd composite n at least 3/4 of a's >> fail the test, that is if you made m MR tests with random a's then you >> are mistaken with pr

RE: Fermat's primality test vs. Miller-Rabin

2005-11-16 Thread Anton Stiglic
>The general consensus is that for 500-bit numbers one needs only 6 MR >tests for 2^{-80} error probability [1]: >... > and thus a single test gives ~2^{-13}. If you just took the exponent 80 and divided it by 6 to get ~13, I don't think that is the right reasoning. Look at table 4.3 of the H

RE: Fermat's primality test vs. Miller-Rabin

2005-11-30 Thread Anton Stiglic
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Ashwood Sent: November 18, 2005 3:18 AM To: cryptography@metzdowd.com Subject: Re: Fermat's primality test vs. Miller-Rabin >> Look at table 4.3 of the Handbook of >> applied cryptography: for t = 1

RE: Encryption using password-derived keys

2005-12-02 Thread Anton Stiglic
It can be useful to derive a key encryption key from the password, and not use the key derived from the password to directly encrypt data you want to protect, when the resulting ciphertext can be found in different places where your encrypted key won't necessarly also be found. For example, to enc

RE: Fermat's primality test vs. Miller-Rabin

2005-12-05 Thread Anton Stiglic
>Ok after making that change, and a few others. Selecting only odd numbers >(which acts as a small seive) I'm not getting much useful information. It >appears to be such that at 512 bits if it passes once it passes 128 times, >and it appears to fail on average about 120-130 times, so the sieve

RE: another feature RNGs could provide

2005-12-22 Thread Anton Stiglic
>Actually, by definition, a cipher should be a permutation from the set >of plaintexts to the set of ciphertexts. It has to be 1 to 1 bijective >or it isn't an encryption algorithm. > >Therefore, if you want an ergodic sequence of size 2^N, a counter >encrypted under an N bit block cipher will do i

RE: a crypto wiki

2006-01-28 Thread Anton Stiglic
I agree. The cryptodox page looks nice, but I would rather see the content go in wikipedia, which is worked on, and looked at, by many more people, a really beautiful community work. --anton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Whyte, William

RE: general defensive crypto coding principles

2006-02-14 Thread Anton Stiglic
I don't believe MtE is good advice, and I have yet to see a decent reason why one would want to use that instead of EtM. Of course when we talk about EtM, the MAC should be applied over all plaintext headers and trailers (including IV used for encryption, algorithm identifier, protocol version, wh

RE: NPR : E-Mail Encryption Rare in Everyday Use

2006-03-08 Thread Anton Stiglic
>More strongly, if we've never met, and you are not in the habit of >routinely signing email, thereby tying a key to your e-persona, it >makes no sense to speak of *secure* communication to *you*. Regularly signing email is not necessarily a good idea. I like to be able to repudiate most emails

Re: Interesting bit of a quote

2006-07-12 Thread Anton Stiglic
> David Wagner writes: > SB1386 says that if a company conducts business in Caliornia and > has a system that includes personal information stored in unencrypted from > and if that company discovers or is notified of a breach of the security > that system, then the company must notify any Californi

RE: Exponent 3 damage spreads...

2006-09-20 Thread Anton Stiglic
I tried coming up with my own forged signature that could be validated with OpenSSL (which I intended to use to test other libraries). I haven't succeeded, either because in the particular example I came up with OpenSSL does something that catches the invalid signature, or I messed up somewhere (

RE: Exponent 3 damage spreads...

2006-09-21 Thread Anton Stiglic
E: Exponent 3 damage spreads... Anton Stiglic writes: > I tried coming up with my own forged signature that could be validated with > OpenSSL (which I intended to use to test other libraries). ... > Now let's look at s^3 > 1FF

Re: Why the exponent 3 error happened:

2006-09-21 Thread Anton Stiglic
As other's have mentioned, I don't believe the small RSA exponent (e = 3) is to blame in Bleichenbacher's attack. Indeed, the mathematical problem of computing the cubic root of m modulo an rsa modulus n, for a *fixed*, arbitrary m, is still considered to be hard (no one has shown the opposite). Wh

RE: Exponent 3 damage spreads...

2006-09-22 Thread Anton Stiglic
O.k., thanks to Hal Finney for pointing out to me in a private email that my modulus wasn't in fact the right size. I have had some problems with the openssl key generation (doesn't always seem to generate the exact modulus size I ask for). In attachment, the forged signature opensslB-fake-bin.

Re: interesting HMAC attack results

2006-09-25 Thread Anton Stiglic
Very interesting, I wonder how this integrates with the following paper http://citeseer.ist.psu.edu/bellare06new.html which basically says: Abstract: HMAC was proved in [2] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly col

RE: Traffic Analysis References

2006-10-21 Thread Anton Stiglic
You will find a couple of references on traffic analysis applied to anonymous networks here http://freehaven.net/anonbib/ --Anton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leandro Meiners Sent: October 19, 2006 2:09 PM To: Cryptography Subject: Traf

RE: Intuitive cryptography that's also practical and secure.

2007-02-03 Thread Anton Stiglic
I am not convinced that we need intuitive cryptography. Many things in life are not understood by the general public. How does a car really work: most people don't know but they still drive one. How does a microwave oven work? People don't need to understand the details, but the high level conce

RE: Private Key Generation from Passwords/phrases

2007-02-03 Thread Anton Stiglic
Bill Stewart wrote: >Salt is designed to address a couple of threats >- Pre-computing password dictionaries for attacking wimpy passwords >... Yes indeed. The rainbow-tables style attacks are important to protect against, and a salt does the trick. This is why you can find rainbow tables for Lan