Re: Nullsoft's WASTE communication system

2003-06-02 Thread David Wagner
Eric Rescorla wrote: E(M) || H(M)- This is still quite dangerous. If the attacker can somehow reset the IV, then they can mount an attack on the first cipher block. Also, it can violate confidentiality. If M is guessable, the guess can be confirmed

Re: traffic analysis

2003-08-29 Thread David Wagner
John S. Denker wrote: More specifically, anybody who thinks the scheme I described is vulnerable to a timing attack isn't paying attention. I addressed this point several times in my original note. All transmissions adhere to a schedule -- independent of the amount, timing, meaning, and other

Re: cryptographic ergodic sequence generators?

2003-09-07 Thread David Wagner
Perry E. Metzger wrote: I've noted to others on this before that for an application like the IP fragmentation id, it might be even better if no repeats occurred in any block of 2^31 (n being 32) but the sequence did not repeat itself (or at least could be harmlessly reseeded at very very long

Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread David Wagner
John Doe Number Two wrote: It's nice to see someone 'discovering' what Lucky Green already figured-out years ago. I wonder if they'll cut him a check. No, no, no! This is new work, novel and different from what was previously known. In my opinion, it is an outstanding piece of research.

Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread David Wagner
Trei, Peter wrote: Why the heck would a government agency have to break the GSM encryption at all? Well, one reason might be if that government agency didn't have lawful authorization from the country where the call takes place. (say, SIGINT on GSM calls made in Libya) Another might be if the

Re: Code breakers crack GSM cellphone encryption

2003-09-09 Thread David Wagner
Vin McLellan wrote: A5/2 was the equivalent of 40-bit DES, presumed to be relatively weak and developed as an export standard. Yeah. Except it would be more accurate to place A5/2's strength as roughly equivalent to 17-bit DES. A5/1's strength is roughly equivalent to that of 40-bit DES. Of

Re: Code breakers crack GSM cellphone encryption

2003-09-09 Thread David Wagner
One point your analysis misses is that there are public policy implications to deploying a phone system that enemy countries can routinely intercept. Not all attacks are financially motivated. Is it a good thing for our infrastructure to be so insecure? Do we want other countries listening to

Re: quantum hype

2003-09-13 Thread David Wagner
martin f krafft wrote: So MagiQ and others claim that the technology is theoretically unbreakable. How so? If I have 20 bytes of data to send, and someone reads the photon stream before the recipient, that someone will have access to the 20 bytes before the recipient can look at the 20 bytes,

Re: quantum hype

2003-09-13 Thread David Wagner
On 09/13/2003 05:06 PM, David Wagner wrote: Quantum cryptography *assumes* that you have an authentic, untamperable channel between sender and receiver. Not true. The signal is continually checked for tampering; no assumption need be made. Quantum crypto only helps me exchange a key

Re: quantum hype

2003-09-14 Thread David Wagner
Arnold G. Reinhold wrote: I think there is another problem with quantum cryptography. Putting aside the question of the physical channel, there is the black box at either end that does all this magical quantum stuff. One has to trust that black box. - Its design has to thoroughly audited and

Re: Quantum cryptography finally commercialized?

2003-09-17 Thread David Wagner
R. A. Hettinga wrote: http://www.net-security.org/news.php?id=3583 Quantum cryptography finally commercialized? Posted by Mirko Zorz - LogError Tuesday, 16 September 2003, 1:23 PM CET For the onlookers, this article is misinformed and should not be relied upon for evaluating quantum

Re: SSL, client certs, and MITM (was WYTM?)

2003-10-22 Thread David Wagner
Tom Otvos wrote: As far as I can glean, the general consensus in WYTM is that MITM attacks are very low (read: inconsequential) probability. Is this *really* true? I'm not aware of any such consensus. I suspect you'd get plenty of debate on this point. But in any case, widespread exploitation of

Re: SSL, client certs, and MITM (was WYTM?)

2003-10-23 Thread David Wagner
Thor Lancelot Simon wrote: Can you please posit an *exact* situation in which a man-in-the-middle could steal the client's credit card number even in the presence of a valid server certificate? Sure. If I can assume you're talking about SSL/https as it is typically used in ecommerce today,

Re: Are there...

2003-11-16 Thread David Wagner
Enzo Michelangeli wrote: ...one-way encryption algorithms guaranteed to be injective (i.e., deterministically collision-free)? Every encryption algorithm is injective, otherwise decryption would be ambiguous. In other words, if x and x' are two different plaintexts, then E_k(x) != E_k(x'). I'm

Re: A-B-a-b encryption

2003-11-17 Thread David Wagner
martin f krafft wrote: it came up lately in a discussion, and I couldn't put a name to it: a means to use symmetric crypto without exchanging keys: - Alice encrypts M with key A and sends it to Bob - Bob encrypts A(M) with key B and sends it to Alice - Alice decrypts B(A(M)) with key A,

Re: Are there...one-way encryption algorithms

2003-11-17 Thread David Wagner
Enzo Michelangeli wrote: Anyway, the intended use is for primary keys in transaction databases, in replacement of the PAN (a.k.a. credit card number). Using secure hashes is the usual way of doing such things, but the slight risk of collision, although practically negligible, is a bit irksome

Re: Are there...one-way encryption algorithms

2003-11-21 Thread David Wagner
Anton Stiglic wrote: David Wagner [EMAIL PROTECTED] wrote: martin f krafft wrote: - Bob encrypts A(M) with key B and sends it to Alice - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob - Bob decrypts B(M) with key B leaving him with M. Are there algorithms

Re: safety of Pohlig-Hellman with a common modulus?

2003-12-07 Thread David Wagner
Peter Fairbrother wrote: Nope. In P-H there is no g. A ciphertext is M^k mod p. An attacker won't know k, and usually won't know M, but see below. I don't know what the problem is called, but it isn't DLP. Anyone? Ok, I was being slightly loose. To be more precise, the security of

Re: example: secure computing kernel needed

2003-12-18 Thread David Wagner
Jerrold Leichter wrote: We've met the enemy, and he is us. *Any* secure computing kernel that can do the kinds of things we want out of secure computing kernels, can also do the kinds of things we *don't* want out of secure computing kernels. I don't understand why you say that. You can build

Re: example: secure computing kernel needed

2003-12-22 Thread David Wagner
William Arbaugh wrote: On Dec 16, 2003, at 5:14 PM, David Wagner wrote: Jerrold Leichter wrote: We've met the enemy, and he is us. *Any* secure computing kernel that can do the kinds of things we want out of secure computing kernels, can also do the kinds of things we *don't* want out

Re: example: secure computing kernel needed

2003-12-23 Thread David Wagner
William Arbaugh wrote: David Wagner writes: As for remote attestion, it's true that it does not directly let a remote party control your computer. I never claimed that. Rather, it enables remote parties to exert control over your computer in a way that is not possible without remote

Re: example: secure computing kernel needed

2003-12-29 Thread David Wagner
Jerrold Leichter wrote: | *Any* secure computing kernel that can do | the kinds of things we want out of secure computing kernels, can also | do the kinds of things we *don't* want out of secure computing kernels. David Wagner wrote: | It's not hard to build a secure kernel that doesn't provide

Re: Difference between TCPA-Hardware and a smart card (was: example: secure computing kernel needed)

2003-12-29 Thread David Wagner
Rick Wash wrote: There are many legitimate uses of remote attestation that I would like to see. For example, as a sysadmin, I'd love to be able to verify that my servers are running the appropriate software before I trust them to access my files for me. Remote attestation is a good technical

Re: example: secure computing kernel needed

2003-12-29 Thread David Wagner
Ed Reed wrote: There are many business uses for such things, like checking to see if locked down kiosk computers have been modified (either hardware or software), I'm a bit puzzled why you'd settle for detecting changes when you can prevent them. Any change you can detect, you can also prevent

Re: Difference between TCPA-Hardware and a smart card (was: example: secure computing kernel needed)

2004-01-03 Thread David Wagner
Jerrold Leichter wrote: All of this is fine as long as there is a one-to-one association between machines and owners of those machines. Consider the example I gave earlier: A shared machine containing the standard distribution of the trusted computing software. All the members of the group

Re: DRM of the mirror universe

2004-04-14 Thread David Wagner
Jani Nurminen wrote: I had this idea about reversing the roles of the actors in a typical DRM system, and thinking about where it might lead. [...] This kind of application of DRM would probably guarantee privacy of the personal data of each individual person, while at the same time allow

More problems with hash functions

2004-09-01 Thread David Wagner
Jerrold Leichter wrote: Joux's attack says: Find single block messages M1 and M1' that collide on the blank initial state. Now find messages M2 amd M2' that collide with the (common) final state from M1 and M1'. Then you hav four 2-block collisions for the cost of two: M1|M2, M1'|M2, and so

?splints for broken hash functions

2004-09-01 Thread David Wagner
Hal Finney writes: [John Denker proposes:] the Bi are the input blocks: (IV) - B1 - B2 - B3 - ... Bk - H1 (IV) - B2 - B3 - ... Bk - B1 - H2 then we combine H1 and H2 nonlinearly. This does not add any strength against Joux's attack. One can find collisions for this in 80*2^80 time with

Seth Schoen's Hard to Verify Signatures

2004-09-08 Thread David Wagner
Hal Finney wrote: [...] hard to verify signature [...] Choose the number of modular squarings, t, that you want the verifier to have to perform. Suppose you choose t = 1 billion. Now you will sign your value using an RSA key whose exponent e = 2^t + 1. The way you sign, even using such a large

SSL/TLS passive sniffing

2004-11-30 Thread David Wagner
Ian Grigg writes: I note that disctinction well! Certificate based systems are totally vulnerable to a passive sniffing attack if the attacker can get the key. Whereas Diffie Hellman is not, on the face of it. Very curious... No, that is not accurate. Diffie-Hellman is also insecure if the

The Pointlessness of the MD5 attacks

2004-12-22 Thread David Wagner
Ben Laurie writes: Dan Kaminsky's recent posting seems to have caused some excitement, but I really can't see why. In particular, the idea of having two different executables with the same checksum has attracted attention. But the only way I can see to exploit this would be to have code that

The Pointlessness of the MD5 attacks

2004-12-22 Thread David Wagner
Ben Laurie writes: Indeed, but what's the point? If you control the binary, just distribute the malicious version in the first place. Where this argument breaks down is that someone might have partial but not total control over the binary. This partial control might not be enough for them to

SSL/TLS passive sniffing

2005-01-04 Thread David Wagner
Florian Weimer [EMAIL PROTECTED] writes: I'm slightly troubled by claims such as this one: http://lists.debian.org/debian-devel/2004/12/msg01950.html [which says: If you're going to use /dev/urandom then you might as well just not encrypt the session at all.] That claim is totally bogus,

Entropy and PRNGs

2005-01-09 Thread David Wagner
John Denker writes: Ben Laurie wrote: http://www.apache-ssl.org/randomness.pdf I just took a look at the first couple of pages. IMHO it has much room for improvement. I guess I have to take exception. I disagree. I think Ben Laurie's paper is quite good. I thought your criticisms missed some

Entropy and PRNGs

2005-01-10 Thread David Wagner
John Denker writes: Well, of course indeed! That notion of entropy -- the entropy in the adversary's frame of reference -- is precisely the notion that is appropriate to any adversarial situation, as I have consistently and clearly stated in my writings; [...] There is only one entropy that

Simson Garfinkel analyses Skype - Open Society Institute

2005-01-11 Thread David Wagner
In article [EMAIL PROTECTED] you write: Voice Over Internet Protocol and Skype Security Simson L. Garfinkel http://www.soros.org/initiatives/information/articles_publications/articles/security_20050107/OSI_Skype5.pdf Is Skype secure? The answer appears to be, no one knows. The report accurately

Simson Garfinkel analyses Skype - Open Society Institute

2005-01-28 Thread David Wagner
Adam Shostack [EMAIL PROTECTED] writes: On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote: | In article [EMAIL PROTECTED] you write: | Voice Over Internet Protocol and Skype Security | Is Skype secure? | | The answer appears to be, no one knows. The report accurately reports

Propping up SHA-1 (or MD5)

2005-03-25 Thread David Wagner
Ben Laurie writes: It was suggested at the SAAG meeting at the Minneapolis IETF that a way to deal with weakness in hash functions was to create a new hash function from the old like so: H'(x)=Random || H(Random || x) Yes. Suppose we use this for signing. The crucial part is to have the

What is to be said about pre-image resistance?

2005-03-25 Thread David Wagner
Ian G writes: Collision resistance of message digests is effected by the birthday paradox, but that does not effect pre-image resistance. (correct?) So can we suggest that for pre-image resistance, the strength of the SHA-1 algorithm may have been reduced from 160 to 149? Well, I'm not sure

Secure Science issues preview of their upcoming block cipher

2005-03-25 Thread David Wagner
Jerrold Leichter writes: They don't claim that: This cipher is ... provably just as secure as AES-128. I can come up with a cipher provably just as secure as AES-128 very quickly Actually, I think Adam is totally right. Have you looked at their scheme?

Microsoft info-cards to use blind signatures?

2005-05-23 Thread David Wagner
http://www.idcorner.org/index.php?p=88 The Identity Corner Stephan Brands I am genuinely excited about this development, if it can be taken as an indication that Microsoft is getting serious about privacy by design for identity management. That is a big if, however: indeed, the same Microsoft

DTV Content Protection (fwd from [EMAIL PROTECTED])

2005-05-23 Thread David Wagner
Anonymous wrote: DTV Content Protection [...] Similar concepts are presented in http://apache.dataloss.nl/~fred/www.nunce.org/hdcp/hdcp111901.htm by Scott Crosby, Ian Goldberg, Robert Johnson, Dawn Song and David Wagner. This paper assumes (unlike Irwin) that attackers have access to the private

encrypted tapes (was Re: Papers about Algorithm hiding ?)

2005-06-08 Thread David Wagner
Ben Laurie writes: Why is it bad for the page to be downloaded clear? What matters is the destination is encrypted, surely? Because the page you downloaded in the clear contains the https: URL in the post method. How do you know that this is the right URL? If you got the page in the clear, you

MIT talk: Special-Purpose Hardware for Integer Factoring

2005-09-15 Thread David Wagner
Victor Duchovni wrote: Joint works with [...] Is it politically correct to not cite DJB in this context [...] The phrase joint work with XXX means that this was a collaboration between XXX and the speaker. If DJB wasn't part of the collaboration, then of course he wouldn't be on that list.

Defending users of unprotected login pages with TrustBar 0.4.9.93

2005-09-20 Thread David Wagner
Amir Herzberg writes: However, quite a few of these sites invoke SSL/TLS only _after_ user has typed in her user name and pw, and clicked `submit`. This allows a MITM adversary to send a modified login page to the user, which sends the pw to the attacker (rather than encrypting it and sending to

timing attack countermeasures (nonrandom but unpredictable delays)

2005-11-16 Thread David Wagner
Travis writes: The naive countermeasure to timing attacks is to add a random delay, but of course that can be averaged out by repeating the computation. I have never heard anyone propose a delay that is based on the input, and maybe some per-machine secret, so that it is unpredictable but

RNG implementations and their problems

2005-12-04 Thread David Wagner
So far I haven't seen any userland tools for updating the entropy count. This is unfortunate, because sometimes I generate entropy on one machine and want to pipe it into the /dev/random pool. However, I cannot update entropy counts [...] This is a security feature. If non-root programs could

RNG quality verification

2005-12-22 Thread David Wagner
Philipp G#ring [EMAIL PROTECTED] writes: I have been asked by to verify the quality of the random numbers which are used for certificate requests that are being sent to us, to make sure that they are good enough, and we donĀ“t issue certificates for weak keys. Go tell whoever wrote your

GnuTLS (libgrypt really) and Postfix

2006-02-13 Thread David Wagner
John Denker [EMAIL PROTECTED] writes: Werner Koch retorted: I disagree strongly here. Any code which detects an impossible state or an error clearly due to a programming error by the caller should die as soon as possible. That is a remarkably unprofessional suggestion. I hope the people

Chinese WAPI protocol?

2006-06-12 Thread David Wagner
Richard Salz [EMAIL PROTECTED] wrote: Today in slashdot (http://it.slashdot.org/it/06/06/12/0710232.shtml) there was an article about China wanting to get WAPI accepted as a new wireless security standard. Has anyone looked at it? Adam Perez wrote: I have not looked at WAPI, but they have been

Chinese WAPI protocol?

2006-06-15 Thread David Wagner
hank you to everyone who corrected the errors in my earlier post. As has been pointed out, the SMS4 block cipher was disclosed earlier this year. Nonetheless, many of my concerns about the security of WAPI remain. We already have a perfectly good solution out there; 802.11i is a good scheme, and

Irish eVoting Vetoed

2006-07-05 Thread David Wagner
The Irish government's commission's report on the NEDAP/Powervote system has been published. (PDFs on the site) http://www.cev.ie/htm/report/download_second.htm As a secure system, it leaves a lot to be desired and it seems to be an example in how not to implement an eVoting system. Just

Factorization polynomially reducible to discrete log - known fact or not?

2006-07-12 Thread David Wagner
Ondrej Mikle wrote: I believe I have the proof that factorization of N=p*q (p, q prime) is polynomially reducible to discrete logarithm problem. Is it a known fact or not? Be careful: when most people talk about the assumption that the discrete log problem being hard, they usually are

Re: Interesting bit of a quote

2006-07-12 Thread David Wagner
[EMAIL PROTECTED] Been with a reasonable number of General Counsels on this sort of thing. Maybe you can blame them and not SB1386 for saying that if you cannot prove the data didn't spill then it is better corporate risk management to act as if it did spill. Well, are you sure you haven't

Re: Factorization polynomially reducible to discrete log - known

2006-07-12 Thread David Wagner
The algorithm is very simple: 1. Choose a big random value x from some very broad range (say, {1,2,..,N^2}). 2. Pick a random element g (mod N). 3. Compute y = g^x (mod N). 4. Ask for the discrete log of y to the base g, and get back some answer x' such that y = g^x' (mod N).

Solving systems of multivariate polynomials modulo 2^32

2006-08-14 Thread David Wagner
Danilo Gligoroski writes: [...] solve a system of 3 polynomials of order 3 with 3 variables x1, x2 and x3 in the set Z_{2^32} and coeficients also in Z_{2^32} [...] Here is a trick that should solve these kinds of equations extremely quickly. First, you solve the system of equations modulo 2.

Any opinions on Kryptor...?

2006-09-09 Thread David Wagner
Leandro Meiners writes: Has anybody heard about Kryptor? Any opinions? (Link: http://www.rosiello.org/modules/smartsection/visit.php?fileid=1) I have no clue whether the stream cipher in that paper is any good, but the security analysis in the paper is basically nonsense. The paper contains

Exponent 3 damage spreads...

2006-09-17 Thread David Wagner
James A. Donald [EMAIL PROTECTED] writes: Parameters should not be expressed in the relevant part of the signature. The only data that should be encrypted with the RSA private key and decrypted with the public key is the hash result itself, and the padding. If the standard specifies that

Startup to launch new random number generator from space

2006-12-24 Thread David Wagner
Udhay Shankar reports: http://news.zdnet.com/2100-1009_22-6142935.html British start-up Yuzoz has announced that it will be launching its beta service in the next two weeks--an online random-number generator driven by astronomical events. Heh heh. Pretty amusing. I guess the founders haven't

Re: analysis and implementation of LRW

2007-01-23 Thread David Wagner
Jim Hughes writes: The IEEE P1619 standard group has dropped LRW mode. It has a vulnerability that that are collisions that will divulge the mixing key which will reduce the mode to ECB. Peter Gutmann asks: Is there any more information on this anywhere? I haven't been able to find anything

Re: analysis and implementation of LRW

2007-01-24 Thread David Wagner
Thanks to everyone who responded with more information about IEEE P1619. Here are some of the additional links, with my reactions: Andrea Pasquinucci points to: http://en.wikipedia.org/wiki/IEEE_P1619#LRW_issue Ben Laurie points to: http://grouper.ieee.org/groups/1619/email/msg00558.html

More info in my AES128-CBC question

2007-04-22 Thread David Wagner
Hagai Bar-El writes: What Aram wrote is many of the attendees have very little security experience, not: there are no attendees with security experience. There are people at the relevant OMA group who know enough about security, but just like in the real world -- they are outnumbered by plain

Fixing SSL (was Re: Dutch Transport Card Broken)

2008-02-09 Thread David Wagner
Tim Dierks writes: (there are totally different reasons that client certs aren't being widely adopted, but that's beside the point). I'd be interested in hearing your take on why SSL client certs aren't widely adopted. It seems like they could potentially help with the phishing problem (at

Toshiba shows 2Mbps hardware RNG

2008-02-14 Thread David Wagner
Crawford Nathan-HMGT87 writes: One of the problems with the Linux random number generator is that it happens to be quite slow, especially if you need a lot of data. /dev/urandom is blindingly fast. For most applications, that's all you need. (Of course there are many Linux applications that use

User interface, security, and simplicity

2008-05-06 Thread David Wagner
In article [EMAIL PROTECTED] you write: On Sun, May 04, 2008 at 10:24:13PM -0400, Thor Lancelot Simon wrote: I believe that those who supply security products have a responsibility to consider the knowledge, experience, and tendencies of their likely users to the greatest extent to which

Re: Looking through a modulo operation

2008-07-21 Thread David Wagner
Florian Weimer writes: I've got a function f : S - X x S where S = (Z/2Z)**96 and X = (Z/2Z)**32. Suppose that s_0 is fixed and (x_i, s_i) = f(s_{i-1}). (f implements a PRNG. The s_i are subsequent internal states and the x_i are results.) Now f happens to be linear. I know the values of

Re: Looking through a modulo operation

2008-07-22 Thread David Wagner
Matt Ball writes: Another attacking avenue is the 32-bit initial seed. If the implementation re-seeds frequently, or leaks to you the first outputs after initialization, then you only have to brute-force the 32-bit seed space, times the number of samples since reseeding. Well, that's good and

Re: Cube cryptanalysis?

2008-08-21 Thread David Wagner
Steve Bellovin writes: Greg, assorted folks noted, way back when, that Skipjack looked a lot like a stream cipher. Might it be vulnerable? I'm still absorbing Adi's new ideas, and I haven't looked at this in any detail, so anything I say should be taken with an enormous grain of salt. But,

Re: Activation protocol for tracking devices

2009-03-04 Thread David Wagner
Santiago Aguiar wrote: As I wrote in my last email, in Brazil they are devising a protocol to activate tracking/blocking devices to be installed from factory in *every* vehicle, starting progressively from august 2009. The idea is that a service operator (SO) can activate a device to work

Re: work factor calculation for brute-forcing crypto

2009-07-19 Thread David Wagner
Assume for a moment that we have a random number generator which is non-uniform, and we are using it to generate a key. What I'd like to do is characterize the work factor involved in brute-force search of the key space, assuming that the adversary has knowledge of the characteristics of the

Re: brute force physics Was: cleversafe...

2009-08-12 Thread David Wagner
Alexander Klimov wrote: A problem with this reasoning is that the physical world and the usual digital computers have exponential simulation gap (it is known at least in one direction: to simulate N entangled particles on a digital computer one needs computations exponential in N). This can

Re: Detecting attempts to decrypt with incorrect secret key in OWASP ESAPI

2009-09-16 Thread David Wagner
Advice: if you're creating something for general-purpose use, at a minimum make sure it provides authentication, integrity, *and* confidentiality. A reasonable choice might be Encrypt-then-Authenticate where you first encrypt with AES-CBC, then append a AES-CMAC message authentication code on the

Re: Detecting attempts to decrypt with incorrect secret key in OWASP ESAPI

2009-09-16 Thread David Wagner
I don't exactly follow the argument for using CCM mode instead AES-CBC encryption followed by AES-CMAC, and I'm not familiar with the political/perception arguments (who complains about the latter?), but whatever. It's hardly worth arguing over. The cryptographic mode of operation is unlikely to

Re: Detecting attempts to decrypt with incorrect secret key in OWASP ESAPI

2009-09-17 Thread David Wagner
Kevin W. Wall wrote: So given these limited choices, what are the best options to the questions I posed in my original post yesterday? Given these choices, I'd suggest that you first encrypt with AES-CBC mode. Then apply a message authentication code (MAC) to the whole ciphertext (including the

Re: Possibly questionable security decisions in DNS root management

2009-10-22 Thread David Wagner
Florian Weimer wrote: And you better randomize some bits covered by RRSIGs on DS RRsets. Directly signing data supplied by non-trusted source is quite risky. (It turns out that the current signing schemes have not been designed for this type of application, but the general crypto community is

Re: Question w.r.t. AES-CBC IV

2010-07-10 Thread David Wagner
Jerry Leichter wrote: CTR mode is dangerous unless you're also doing message authentication, Nitpick: That's true of CBC mode, too, and almost any other encryption mode. Encryption without authentication is dangerous; if you need to encrypt, you almost always need message authentication as

Re: A Fault Attack Construction Based On Rijmen's Chosen-Text Relations Attack

2010-07-22 Thread David Wagner
Alfonso De Gregorio wrote: The last Thursday, Vincent Rijmen announced a new clever attack on AES (and KASUMI) in a report posted to the Cryptology ePrint Archive: Practical-Titled Attack on AES-128 Using Chosen-Text Relations, http://eprint.iacr.org/2010/337 Jonathan Katz wrote:

Re: Encryption and authentication modes

2010-07-24 Thread David Wagner
Florian Weimer wrote: * David McGrew: can I ask what your interest in AEAD is? Is there a particular application that you have in mind? I just want to create a generic API which takes a key (most of the time, a randomly generated session key) and can encrypt and decrypt small blobs.

[Cryptography] Plug for crypto.stackexchange.com

2013-10-12 Thread David Wagner
I've noticed quite a few questions on this list recently of the form How do I do X? What is the right cryptographic primitive for goal X? etc. I'd like to plug the following site: http://crypto.stackexchange.com/ Cryptography Stack Exchange It is an excellent place to post questions like that