Re: Cryptography Research wants piracy speed bump on HD DVDs

2005-01-04 Thread Ian G
Bill Stewart wrote: At 09:08 AM 12/15/2004, Ian Grigg wrote: Let me get this right. ... ... A blockbuster worth $100m gets cracked ... and the crack gets watermarked with the Id of the $100 machine that played it. ... So the solution is to punish the $100 machine by asking them to call Disney with

Re: Cryptography Research wants piracy speed bump on HD DVDs

2005-01-04 Thread Ian G
To add a postscript to that, yesterday's LAWgram reported that $10 DVD *players* are now selling in the US. The economics of player-id-watermarking are looking a little wobbly; we can now buy a throwaway player for the same price as a throwaway disk. http://www.theinquirer.net/?article=20371

Re: AOL Help : About AOL® PassCode

2005-01-04 Thread Ian G
R.A. Hettinga wrote: http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 Have questions? Search AOL Help articles and tutorials: . If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need

Re: AOL Help : About AOL® PassCode

2005-01-06 Thread Ian G
Joerg Schneider wrote: So, PassCode and similar forms of authentication help against the current crop of phishing attacks, but that is likely to change if PassCode gets used more widely and/or protects something of interest to phishers. Actually I have been waiting for phishing with MITM to

Simson Garfinkel analyses Skype - Open Society Institute

2005-01-09 Thread Ian G
Voice Over Internet Protocol and Skype Security Simson L. Garfinkel January 7, 2005 With the increased deployment of high-speed (broadband) Internet connectivity, a growing number of businesses and individuals are using the Internet for voice telephony, a technique known as Voice over Internet

Re: entropy depletion (was: SSL/TLS passive sniffing)

2005-01-09 Thread Ian G
William Allen Simpson wrote: There are already other worthy comments in the thread(s). This is a great post. One can't stress enough that programmers need programming guidance, not arcane information theoretic concepts. We are using computational devices, and therefore computational

Re: entropy depletion

2005-01-26 Thread Ian G
Ben Laurie wrote: William Allen Simpson wrote: Why then restrict it to non-communications usages? Because we are starting from the postulate that observation of the output could (however remotely) give away information about the underlying state of the entropy generator(s). Surely observation of

Re: entropy depletion

2005-01-26 Thread Ian G
Ben Laurie wrote: William Allen Simpson wrote: Why then restrict it to non-communications usages? Because we are starting from the postulate that observation of the output could (however remotely) give away information about the underlying state of the entropy generator(s). Surely observation of

Re: entropy depletion

2005-01-26 Thread Ian G
William Allen Simpson wrote: Ian G wrote: The *requirement* is that the generator not leak information. This requirement applies equally well to an entropy collector as to a PRNG. Now here we disagree. It was long my understanding that the reason the entropy device (/dev/random) could be used

Re: Dell to Add Security Chip to PCs

2005-02-02 Thread Ian G
Erwann ABALEA wrote: On Wed, 2 Feb 2005, Trei, Peter wrote: Seeing as it comes out of the TCG, this is almost certainly the enabling hardware for Palladium/NGSCB. Its a part of your computer which you may not have full control over. Please stop relaying FUD. You have full control over your

Re: Can you help develop crypto anti-spoofing/phishing tool ?

2005-02-04 Thread Ian G
Michael H. Warfield wrote What Amir and Ahmad are looking at is showing the CA as part of the trust equation when the user hits a site. Some CAs will enter the user's consciousness via normal branding methods, and new ones will trigger care caution. Which is what we want - if something strange

Re: Is 3DES Broken?

2005-02-05 Thread Ian G
John Kelsey wrote: From: Steven M. Bellovin [EMAIL PROTECTED] No, I meant CBC -- there's a birthday paradox attack to watch out for. Yep. In fact, there's a birthday paradox problem for all the standard chaining modes at around 2^{n/2}. For CBC and CFB, this ends up leaking information

Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)

2005-02-09 Thread Ian G
Adam Shostack wrote: Have you run end-user testing to demonstrate the user-acceptability of Trustbar? Yes, this was asked over on the cap-talk list. Below is what I posted there. I'm somewhat sympathetic as doing a real field trial which involves testing real responses to a browser attack

Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)

2005-02-09 Thread Ian G
Taral wrote: On Wed, Feb 09, 2005 at 07:41:36PM +0200, Amir Herzberg wrote: Why should I trust you? Filtering xn--* domains works for me, and doesn't require that I turn my browser over to unreviewed, possibly buggy code. I understand this is a theoretical question, but here is an answer:

critical bits in certs

2005-02-16 Thread Ian G
Has anyone got any experience or tips on critical bits in certificates? These are bits that can be set in optional records that a certificate creator puts in there to do a particular job. The critical bit says don't interpret this entire certificate if you don't understand this record. x.509

Re: SHA-1 cracked

2005-02-17 Thread Ian G
Steven M. Bellovin wrote: According to Bruce Schneier's blog (http://www.schneier.com/blog/archives/2005/02/sha1_broken.html), a team has found collisions in full SHA-1. It's probably not a practical threat today, since it takes 2^69 operations to do it and we haven't heard claims that NSA et

Re: SHA-1 cracked

2005-02-22 Thread Ian G
John Kelsey wrote: Anyone know where we could find the paper? It'd be kind-of convenient when trying to assess the impact of the attack if we knew at least a few details The *words* part I typed in here: http://www.financialcryptography.com/mt/archives/000357.html I skipped the examples.

Many Wireless Security Breaches Reported At (RSA) Security Conference

2005-02-22 Thread Ian G
(As I've said many times, security breaches reported at conferences full of security people don't count as a predictor of what's out in the real world as a threat. But, it makes for interesting reading and establishes some metric on the ease of the attack. iang)

$90 for high assurance _versus_ $349 for low assurance

2005-03-13 Thread Ian G
In the below, John posted a handy dandy table of cert prices, and Nelson postulated that we need to separate high assurance from low assurance. Leaving aside the technical question of how the user gets to see that for now, note how godaddy charges $90 for their high assurance and Verisign charges

Re: Encryption plugins for gaim

2005-03-15 Thread Ian G
Adam Fields wrote: Given what may or may not be recent ToS changes to the AIM service, I've recently been looking into encryption plugins for gaim. Specifically, I note gaim-otr, authored by Ian G, who's on this list. Just a quick note of clarification, there is a collision in the name Ian G. 4

Re: how to phase in new hash algorithms?

2005-03-20 Thread Ian G
Steven M. Bellovin wrote: So -- what should we as a community be doing now? There's no emergency on SHA1, but we do need to start, and soon. The wider question is how to get moving on new hash algorithms. That's a bit tricky. Normally we'd look to see NIST or the NESSIE guys lead a competition.

What is to be said about pre-image resistance?

2005-03-25 Thread Ian G
Collision resistance of message digests is effected by the birthday paradox, but that does not effect pre-image resistance. (correct?) So can we suggest that for pre-image resistance, the strength of the SHA-1 algorithm may have been reduced from 160 to 149? Or can we make some statement like

Re: how email encryption should work

2005-03-29 Thread Ian G
Hi James, I read that last night, and was still musing on it... James A. Donald wrote: -- In my blog http://blog.jim.com/ I post how email encryption should work I would appreciate some analysis of this proposal, which I think summarizes a great deal of discussion that I have read. *

Re: Secure Science issues preview of their upcoming block cipher

2005-03-29 Thread Ian G
Dan Kaminsky wrote: Have you looked at their scheme? http://www.securescience.net/ciphers/csc2/ Secure Science is basically publishing a cipher suite implemented by Tom St. Denis, author of Libtomcrypt. Aha! I seem to recall on this very list about 2 years back, Tom got crucified for trying

Garfinkel analysis on Skype withdrawn?

2005-05-20 Thread Ian G
Has anyone got a copy of the Skype analysis done by Simson Garfinkel? It seems to have disappeared. Original Message Subject: Simson Garfinkel analyses Skype - Open Society Institute Date: Sun, 10 Apr 2005 10:32:44 +0200 From: Vito Catozzo Hi I am Italian, so forgive any

calling all French-reading cryptologers - Kerckhoff's 6 principles needs a translation

2005-05-20 Thread Ian G
It's been a year or so since this was raised, perhaps there are some French reading cryptologers around now? -- Forwarded Message -- Financial Cryptography Update: HCI/security - start with Kerckhoff's 6 principles May 01, 2005

[Fwd] Advances in Financial Cryptography - First Issue

2005-05-20 Thread Ian G
Advances in Financial Cryptography - First Issue May 11, 2005 https://www.financialcryptography.com/mt/archives/000458.html

Re: Malaysia car thieves steal finger

2005-05-20 Thread Ian G
On Friday 20 May 2005 19:22, Ben Laurie wrote: R.A. Hettinga wrote: Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system. Good to know that my amputationware meme was not just paranoia.

Re: Citibank discloses private information to improve security

2005-05-31 Thread Ian G
On Saturday 28 May 2005 18:47, James A. Donald wrote: Do we have any comparable experience on SSH logins? Existing SSH uses tend to be geek oriented, and do not secure stuff that is under heavy attack. Does anyone have any examples of SSH securing something that was valuable to the user,

Re: Papers about Algorithm hiding ?

2005-05-31 Thread Ian G
On Thursday 26 May 2005 22:51, Hadmut Danisch wrote: Hi, you most probably have heard about the court case where the presence of encryption software on a computer was viewed as evidence of criminal intent. http://www.lawlibrary.state.mn.us/archive/ctappub/0505/opa040381-0503.htm

SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Ian G
On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], James A. Donald writes: -- PKI was designed to defeat man in the middle attacks based on network sniffing, or DNS hijacking, which turned out to be less of a threat than expected. First, you mean the

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Ian G
On Tuesday 31 May 2005 21:03, Perry E. Metzger wrote: Ian G [EMAIL PROTECTED] writes: On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote: The next part of this is circular reasoning. We don't see network sniffing for credit card numbers *because* we have SSL. I think you meant

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Ian G
On Wednesday 01 June 2005 10:35, Birger Tödtmann wrote: Am Dienstag, den 31.05.2005, 18:31 +0100 schrieb Ian G: [...] As an alternate hypothesis, credit cards are not sniffed and never will be sniffed simply because that is not economic. If you can hack a database and lift 10,000

Digital signatures have a big problem with meaning

2005-06-01 Thread Ian G
On Tuesday 31 May 2005 23:43, Anne Lynn Wheeler wrote: in most business scenarios ... the relying party has previous knowledge and contact with the entity that they are dealing with (making the introduction of PKI digital certificates redundant and superfluous). Yes, this is directly what we

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Ian G
On Tuesday 31 May 2005 23:43, Perry E. Metzger wrote: Ian G [EMAIL PROTECTED] writes: Just on the narrow issue of data - I hope I've addressed the other substantial points in the other posts. The only way we can overcome this issue is data. You aren't going to get it. The companies that get

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Ian G
Hi Birger, Nice debate! On Wednesday 01 June 2005 13:52, Birger Tödtmann wrote: Am Mittwoch, den 01.06.2005, 12:16 +0100 schrieb Ian G: [...] The point is this: you *could* turn off SSL and it wouldn't make much difference to actual security in the short term at least, and maybe

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Ian G
On Tuesday 31 May 2005 19:38, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Ian G writes: On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], James A. Donald writes: -- PKI was designed to defeat man in the middle attacks based on network

Re: Digital signatures have a big problem with meaning

2005-06-02 Thread Ian G
On Wednesday 01 June 2005 15:07, [EMAIL PROTECTED] wrote: Ian G writes: | In the end, the digital signature was just crypto | candy... On the one hand a digital signature should matter more the bigger the transaction that it protects. On the other hand, the bigger the transaction

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Ian G
this incorrectly perhaps as SSL *stopped* sniffing. Subtle distinctions can sometimes matter. So please ignore the previous email, unless a cruel and unusual punishment is demanded... iang On Wednesday 01 June 2005 16:24, Ian G wrote: On Tuesday 31 May 2005 19:38, Steven M. Bellovin wrote

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Ian G
On Thursday 02 June 2005 11:33, Birger Tödtmann wrote: Am Mittwoch, den 01.06.2005, 15:23 +0100 schrieb Ian G: [...] For an example of the latter, look at Netcraft. This is quite serious - they are putting out a tool that totally bypasses PKI/SSL in securing browsing. Is it insecure

Re: Citibank discloses private information to improve security

2005-06-02 Thread Ian G
On Wednesday 01 June 2005 23:38, Anne Lynn Wheeler wrote: in theory, the KISS part of SSL's countermeasure for MITM-attack ... is does the URL you entered match the URL in the provided certificate. An attack is inducing a fraudulent URL to be entered for which the attackers have a valid

Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

2005-06-02 Thread Ian G
On Thursday 02 June 2005 19:28, R.A. Hettinga wrote: http://www.eweek.com/print_article2/0,2533,a=153008,00.asp Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills May 31, 2005 Just to make it more interesting, the AG of New York, Elliot Spitzer has introduced a package of

Cell phone crypto aims to baffle eavesdroppers

2005-06-02 Thread Ian G
Cell phone crypto aims to baffle eavesdroppers By Munir Kotadia, ZDNet Australia Published on ZDNet News: May 31, 2005, 4:10 PM PT An Australian company last week launched a security tool for GSM mobile phones that encrypts transmissions to avoid eavesdroppers. GSM, or Global System for

Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

2005-06-03 Thread Ian G
On Friday 03 June 2005 14:38, Greg Rose wrote: At 00:48 2005-06-03 +0100, Ian G wrote: Just to make it more interesting, the AG of New York, Elliot Spitzer has introduced a package of legislation intended to rein in identity theft including: Facilitating prosecutions against computer

Re: Papers about Algorithm hiding ?

2005-06-04 Thread Ian G
On Thursday 02 June 2005 13:50, Steve Furlong wrote: On 5/31/05, Ian G [EMAIL PROTECTED] wrote: I don't agree with your conclusion that hiding algorithms is a requirement. I think there is a much better direction: spread more algorithms. If everyone is using crypto then how can

Re: Papers about Algorithm hiding ?

2005-06-07 Thread Ian G
On Tuesday 07 June 2005 14:52, John Kelsey wrote: From: Ian G [EMAIL PROTECTED] Sent: Jun 7, 2005 7:43 AM To: John Kelsey [EMAIL PROTECTED] Cc: Steve Furlong [EMAIL PROTECTED], cryptography@metzdowd.com Subject: Re: Papers about Algorithm hiding ? [My comment was that better crypto would

The encrypt everything problem

2005-06-08 Thread Ian G
On Wednesday 08 June 2005 18:33, [EMAIL PROTECTED] wrote: Ken Buchanan wrote: Another area where I predict vendors will (should) offer built in solutions is with database encryption. Allot of laws require need-to-know based access control, and with DBA's being able to see all entries that is

Re: ID theft -- so what?

2005-08-14 Thread Ian G
Ben Laurie wrote: Ian Grigg wrote: Too many words? OK, here's the short version of why phising occurs: Browsers implement SSL+PKI and SSL+PKI is secure so we don't need to worry about it. PKI+SSL *is* the root cause of the problem. It's just not the certificate level but the business and

Re: Another entry in the internet security hall of shame....

2005-08-24 Thread Ian G
In another routine event in the adventure known as getting security to work in spite of the security, I just received this ... [fwd] When creating a google talk compatible IM personality in Apple's iChat you get the following warning on the Google Help pages: -=-=- 12. Check the boxes next

Re: Another entry in the internet security hall of shame....

2005-08-25 Thread Ian G
Trei, Peter wrote: Self-signed certs are only useful for showing that a given set of messages are from the same source - they don't provide any trustworthy information as to the binding of that source to anything. Perfectly acceptable over chat, no? That is, who else would you ask to confirm

Re: Another entry in the internet security hall of shame....

2005-08-25 Thread Ian G
Tim Dierks wrote: [resending due to e-mail address / cryptography list membership issue] On 8/24/05, Ian G [EMAIL PROTECTED] wrote: Once you've configured iChat to connect to the Google Talk service, you may receive a warning message that states your username and password will be transferred

Re: e2e all the way (Re: Another entry in the internet security hall of shame....)

2005-08-27 Thread Ian G
Steven M. Bellovin wrote: Do I support e2e crypto? Of course I do! But the cost -- not the computational cost; the management cost -- is quite high; you need to get authentic public keys for all of your correspondents. That's beyond the ability of most people. I don't think it is that hard

Re: Another entry in the internet security hall of shame....

2005-08-27 Thread Ian G
Steven M. Bellovin wrote: But this underscores one of my points: communications security is fine, but the real problem is *information* security, which includes the endpoint. (Insert here Gene Spafford's comment about the Internet, park benches, cardboard shacks, and armored cars.) *That*

Re: Another entry in the internet security hall of shame....

2005-08-29 Thread Ian G
Anne Lynn Wheeler wrote: the major ISPs are already starting to provide a lot of security software to their customers. a very straight forward one would be if they provided public key software ... to (generate if necessary) and register a public key in lieu of password ... and also support the

Re: Another entry in the internet security hall of shame....

2005-08-31 Thread Ian G
James A. Donald wrote: -- From: [EMAIL PROTECTED] (Peter Gutmann) TLS-PSK fixes this problem by providing mutual authentication of client and server as part of the key exchange. Both sides demonstrate proof-of- possession of the password (without actually communicating

Re: [Anti-fraud] Re: Another entry in the internet security hall of shame....

2005-09-07 Thread Ian G
Alaric Dailey wrote: Thus ATMs and the weak 2 factor authentication system they use are untrustworthy, I knew that already, but as I said, its better than not having the multifactor authentication. The fact that many cards may be used as credit card and you thus bypass the second factor, is a

Re: [Anti-fraud] simple (secure??) PW-based web login (was Re: Another entry in theinternet security hall of shame....)

2005-09-14 Thread Ian G
Amir Herzberg wrote: For a stationary user, the extension compares _Iterations_ and confirm it is at most one less than previous value of _Iterations_ used with this site. (Minor point - if relying on incrementing Iterations, this may impact password sharing scenarios. Whether that's a good

Re: NSA Suite B Cryptography

2005-10-14 Thread Ian G
Sidney Markowitz wrote: Excerpt from Fact Sheet on NSA Suite B Cryptography http://www.nsa.gov/ia/industry/crypto_suite_b.cfm NSA has determined that beyond the 1024-bit public key cryptography in common use today, rather than increase key sizes beyond 1024-bits, a switch to elliptic curve

Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-22 Thread Ian G
R. Hirschfeld wrote: Date: Thu, 20 Oct 2005 11:31:39 -0700 From: cyphrpunk [EMAIL PROTECTED] 2. Cash payments are final. After the fact, the paying party has no means to reverse the payment. We call this property of cash transactions _irreversibility_. Certainly Chaum ecash has this

Re: Some thoughts on high-assurance certificates

2005-11-02 Thread Ian G
Ed Reed wrote: Getting PKI baked into the every day representations people routinely manage seems desirable and necessary to me. The pricing model that has precluded that in the past (you need a separate PKi certificate for each INSURANCE policy?) is finally melting away. We may be ready to

Re: ISAKMP flaws?

2005-11-18 Thread Ian G
Florian Weimer wrote: Photuris uses a baroque variable-length integer encoding similar to that of OpenPGP, a clear warning sign. 8-/ Actually, if one variable-length integer encoding is used instead of 5 other formats in all sorts of strange places, I'd say this is a good sign. Although I

Haskell crypto

2005-11-19 Thread Ian G
Someone mailed me with this question, anyone know anything about Haskell? Original Message I just recently stepped into open source cryptography directly, rather than just as a user. I'm writing a SHA-2 library completely in Haskell, which I recently got a thing for in a bad

Re: Session Key Negotiation

2005-12-03 Thread Ian G
Will Morton wrote: I am designing a transport-layer encryption protocol, and obviously wish to use as much existing knowledge as possible, in particular TLS, which AFAICT seems to be the state of the art. In TLS/SSL, the client and the server negotiate a 'master secret' value which is passed

Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-04 Thread Ian G
[EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. I have not! I declined the chance when my bank told me that I had to download their special client that only runs on windows...

Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-05 Thread Ian G
[EMAIL PROTECTED] wrote: dan, maybe you should just keep less money in the bank. i use online banking and financial services of almost every kind (except bill presentment, because i like paper bills). i ccannot do without it. it seems to me the question is how much liability do i expose

Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-06 Thread Ian G
[EMAIL PROTECTED] wrote: okay, i read this story from 7/2005 reporting an incident in 5/2005. the short form of it is: Not a bad summary. I'd say that when one is dealing with any such crime, there are always unanswered questions, and issues of confusion (probably as much for the attacker

Re: browser vendors and CAs agreeing on high-assurance certificat es

2005-12-23 Thread Ian G
BTW, illustrating points made here, the cert is for financialcryptography.com but your link was to www.financialcryptography.com. So of course Firefox generated a warning Indeed and even if that gets fixed we still have to contend with: * the blog software can't handle the nature

Re: browser vendors and CAs agreeing on high-assurance certificat es

2005-12-24 Thread Ian G
Ben Laurie wrote: ... Hopefully over the next year, the webserver (Apache) will be capable of doing the TLS extension for sharing certs so then it will be reasonable to upgrade. In fact, I'm told (I'll dig up the reference) that there's an X509v3 extension that allows you to specify alternate

Re: browser vendors and CAs agreeing on high-assurance certificat es

2005-12-27 Thread Ian G
Ben Laurie wrote: Ian G wrote: ... http://wiki.cacert.org/wiki/VhostTaskForce (The big problem of course is that you can use one cert to describe many domains only if they are the same administrative entity.) If they share an IP address (which they must, otherwise there's no problem

Re: browser vendors and CAs agreeing on high-assurance certificat es

2005-12-27 Thread Ian G
Ben Laurie wrote: Ian G wrote: http://wiki.cacert.org/wiki/VhostTaskForce (The big problem of course is that you can use one cert to describe many domains only if they are the same administrative entity.) If they share an IP address (which they must, otherwise there's no problem

Re: long-term GPG signing key

2006-01-10 Thread Ian G
Travis H. wrote: I'd like to make a long-term key for signing communication keys using GPG and I'm wondering what the current recommendation is for such. I remember a problem with Elgamal signing keys and I'm under the impression that the 1024 bit strength provided by p in the DSA is not

Re: long-term GPG signing key

2006-01-11 Thread Ian G
Amir Herzberg wrote: Ian G wrote: Travis H. wrote: I'd like to make a long-term key for signing communication keys using GPG and I'm wondering what the current recommendation is for such. I remember a problem with Elgamal signing keys and I'm under the impression that the 1024 bit strength

Re: long-term GPG signing key

2006-01-11 Thread Ian G
Travis H. wrote: On 1/10/06, Ian G [EMAIL PROTECTED] wrote: 2. DSA has a problem, it relies on a 160 bit hash, which is for most purposes the SHA-1 hash. Upgrading the crypto to cope with current hash circumstances is not worthwhile; we currently are waiting on NIST to lead review in hashes

Re: long-term GPG signing key

2006-01-11 Thread Ian G
Perry E. Metzger wrote: Ian G [EMAIL PROTECTED] writes: Travis H. wrote: I'd like to make a long-term key for signing communication keys using GPG and I'm wondering what the current recommendation is for such. I remember a problem with Elgamal signing keys and I'm under the impression

Re: long-term GPG signing key

2006-01-13 Thread Ian G
Alexander Klimov wrote: On Wed, 11 Jan 2006, Ian G wrote: Even though triple-DES is still considered to have avoided that trap, its relatively small block size means you can now put the entire decrypt table on a dvd (or somesuch, I forget the maths). This would need 8 x 2^{64} bytes

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-26 Thread Ian G
Peter Saint-Andre wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ian G wrote: To get people to do something they will say no to, we have to give them a freebie, and tie it to the unpleasantry. E.g., in SSH, we get a better telnet, and there is only the encrypted version. We could

Re: Failure of PKI in messaging

2007-02-13 Thread Ian G
Steven M. Bellovin wrote: On Mon, 12 Feb 2007 17:03:32 -0500 Matt Blaze [EMAIL PROTECTED] wrote: I'm all for email encryption and signatures, but I don't see how this would help against today's phishing attacks very much, at least not without a much better trust management interface on email

Re: crypto component services - is there a market?

2007-04-19 Thread Ian G
Stefan Kelm wrote: Same with digital timestamping. Here in Europe, e-invoicing very slowly seems to be becoming a (or should I say the?) long-awaited application for (qualified) electronic signatures. Hmmm... last I heard, qualified certificates can only be issued to individuals, and

Re: Cryptome cut off by NTT/Verio

2007-04-29 Thread Ian G
Perry E. Metzger wrote: Slightly off topic, but not deeply. Many of you are familiar with John Young's Cryptome web site. Apparently NTT/Verio has suddenly (after many years) decided that Cryptome violates the ISP's AUP, though they haven't made it particularly clear why. The following link

Re: Was a mistake made in the design of AACS?

2007-05-02 Thread Ian G
Hal Finney wrote: Perry Metzger writes: Once the release window has passed, the attacker will use the compromise aggressively and the authority will then blacklist the compromised player, which essentially starts the game over. The studio collects revenue during the release window, and sometimes

no surprise - Sun fails to open source the crypto part of Java

2007-05-12 Thread Ian G
Does anyone know what Sun failed to opensource in the crypto part of Java? http://news.com.com/Open-source+Java-except+for+the+exceptions/2100-7344_3-6182416.html They also involve some elements of sound and cryptography, said Tom Marble, Sun's OpenJDK ambassador. We have already contacted

Re: no surprise - Sun fails to open source the crypto part of Java

2007-05-14 Thread Ian G
Nicolas Williams wrote: Subject: Re: no surprise - Sun fails to open source the crypto part of Java Were you not surprised because you knew that said source is encumbered, or because you think Sun has some nefarious motive to not open source that code? Third option: the architecture of

Re: no surprise - Sun fails to open source the crypto part of Java

2007-05-15 Thread Ian G
Nicolas Williams wrote: On Mon, May 14, 2007 at 11:06:47AM -0600, [EMAIL PROTECTED] wrote: Ian G wrote: * Being dependent on PKI style certificates for signing, ... The most important motivation at the time was to avoid the risk of Java being export-controlled as crypto. The theory within

Re: A crazy thought?

2007-06-09 Thread Ian G
Allen wrote: Which lead me to the thought that if it is possible, what could be done to reduce the risk of it happening? It occurred to me that perhaps some variation of separation of duties like two CAs located in different political environments might be used to accomplish this by having

Re: Blackberries insecure?

2007-06-21 Thread Ian G
Steven M. Bellovin wrote: According to the AP (which is quoting Le Monde), French government defense experts have advised officials in France's corridors of power to stop using BlackBerry, reportedly to avoid snooping by U.S. intelligence agencies. That's a bit puzzling. My understanding is

Re: The bank fraud blame game

2007-07-01 Thread Ian G
Florian Weimer wrote: * Jerry Leichter: OK, I could live with that as stated. But: The code also adds: We reserve the right to request access to your computer or device in order to verify that you have taken all reasonable steps to protect your computer or device and

Re: New article on root certificate problems with Windows

2007-07-19 Thread Ian G
[EMAIL PROTECTED] wrote: From a security point of view, this is really bad. From a usability point of view, it's necessary. I agree with all the above, including deleted. The solution is to let the HCI people into the design process, something that's very rarely, if ever, done in the

Re: Another Snake Oil Candidate

2007-09-13 Thread Ian G
Hagai Bar-El wrote: Hi, On 12/09/07 08:56, Aram Perez wrote: The IronKey appears to provide decent security while it is NOT plugged into a PC. But as soon as you plug it in and you have to enter a password to unlock it, the security level quickly drops. This would be the case even if they

Re: open source digital cash packages

2007-09-23 Thread Ian G
Steven M. Bellovin wrote: Are there any open source digital cash packages available? I need one as part of another research project. I can think of a few ways to answer this question. 1. blinded money demo programs: there is magic money, in C and in Java. Also I think Ben Laurie wrote

Re: Scare tactic?

2007-09-23 Thread Ian G
Ivan Krsti? wrote: On Sep 19, 2007, at 5:01 PM, Nash Foster wrote: Any actual cryptographers care to comment on this? I don't feel qualified to judge. If the affected software is doing DH with a malicious/compromised peer, the peer can make it arrive at a predictable secret -- which would be

Re: Full Disk Encryption solutions selected for US Government use

2007-10-08 Thread Ian G
Peter Gutmann wrote: Ben Laurie [EMAIL PROTECTED] writes: Peter Gutmann wrote: Given that it's for USG use, I imagine the FIPS 140 entry barrier for the government gravy train would be fairly effective in keeping any OSS products out. ? OpenSSL has FIPS 140. But if you build a FDE product

Re: forward-secrecy for email? (Re: Hushmail in U.S. v. Tyler Stumbo)

2007-11-08 Thread Ian G
Adam Back wrote: On Fri, Nov 02, 2007 at 06:23:30PM +0100, Ian G wrote: I was involved in one case where super-secret stuff was shared through hushmail, and was also dual encrypted with non-hushmail-PGP for added security. In the end, the lawyers came in and scarfed up the lot with subpoenas

Re: Lack of fraud reporting paths considered harmful.

2008-01-27 Thread Ian G
John Ioannidis wrote: Perry E. Metzger wrote: That's not practical. If you're a large online merchant, and your automated systems are picking up lots of fraud, you want an automated system for reporting it. Having a team of people on the phone 24x7 talking to your acquirer and reading them

Re: two-person login?

2008-01-29 Thread Ian G
John Denker wrote: We need to talk about threat models: a) The purveyors of the system in question don't have any clue as to what their threat model is. I conjecture that they might be motivated by the non-apt analogies itemized above. b) In the system in question, there are myriad

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

2008-02-01 Thread Ian G
Eric Rescorla wrote: (as if anyone uses client certificates anyway)? Guess why so few people are using it ... If it were secure, more people would be able to use it. No, if it were *convenient* people would use it. I know of absolutely zero evidence (nor have you presented any) that people

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Ian G
James A. Donald wrote: I have been considering the problem of encrypted channels over UDP or IP. TLS will not work for this, since it assumes and provides a reliable, and therefore non timely channel, whereas what one wishes to provide is a channel where timeliness may be required at the

Re: TLS-SRP TLS-PSK support in browsers (Re: Dutch Transport Card Broken)

2008-02-01 Thread Ian G
Frank Siebenlist wrote: Why do the browser companies not care? I spent a few years trying to interest (at least) one browser vendor with looking at new security problems (phishing) and using the knowledge that we had to solve this (opportunistic cryptography). No luck whatsoever. My view

Re: TLS-SRP TLS-PSK support in browsers (Re: Dutch Transport Card Broken)

2008-02-10 Thread Ian G
Peter Gutmann wrote: Victor Duchovni [EMAIL PROTECTED] writes: While Firefox should ideally be developing and testing PSK now, without stable libraries to use in servers and browsers, we can't yet expect anything to be released. Is that the FF devlopers' reason for holding back? Just

Re: Cruising the stacks and finding stuff

2008-04-24 Thread Ian G
Allen wrote: Add Moore's Law, a bigger budget and a more efficient machine, how long before AES-128 can be decoded in less than a day? It does make one ponder. Wander over to http://keylength.com/ and poke at their models. They have 6 or so to choose from, and they have it coded up in

Re: User interface, security, and simplicity

2008-05-04 Thread Ian G
Perry E. Metzger wrote: It is obvious to anyone using modern IPSec implementations that their configuration files are a major source of pain. In spite of this, the designers don't seem to see any problem. The result has been that people see IPSec as unpleasant and write things like OpenVPN when

  1   2   >