DH with shared secret

2003-10-03 Thread Jack Lloyd
This was just something that popped into my head a while back, and I was wondering if this works like I think it does. And who came up with it before me, because it's was too obvious. It's just that I've never heard of something alone these lines before. Basically, you share some secret with

SSL accel cards

2004-05-25 Thread Jack Lloyd
Does anyone know of an SSL acceleration card that actually works under Linux/*BSD? I've been looking at vendor web pages (AEP, Rainbow, etc), and while they all claim to support Linux, Googling around all I find are people saying Where can I get drivers? The ones vendor shipped only work on

Re: Passwords can sit on disk for years

2004-06-14 Thread Jack Lloyd
On Mon, Jun 14, 2004 at 11:31:23AM +, [EMAIL PROTECTED] wrote: Ben Laurie wrote: In OpenSSL we overwrite with random gunk for this reason. What? No compiler is smart enough to say, The program sets these variables but they are never referenced again. I'll save time and not set them.

SHA-1 results available

2005-02-22 Thread Jack Lloyd
http://theory.csail.mit.edu/~yiqun/shanote.pdf No real details, just collisions for 80 round SHA-0 (which I just confirmed) and 58 round SHA-1 (which I haven't bothered with), plus the now famous work factor estimate of 2^69 for full SHA-1. As usual, Technical details will be provided in a

Re: EDP (entropy distribution protocol), userland PRNG design

2005-10-12 Thread Jack Lloyd
On Wed, Oct 12, 2005 at 04:49:43AM -0500, Travis H. wrote: I am thinking of making a userland entropy distribution system, so that expensive HWRNGs may be shared securely amongst several machines. [...] Comments? -- http://www.lightconsulting.com/~travis/ -- We already have enough fast,

Re: EDP (entropy distribution protocol), userland PRNG design

2005-10-19 Thread Jack Lloyd
On Tue, Oct 18, 2005 at 12:18:57AM -0500, Travis H. wrote: source(s) -- mixer -- pool -- extractor -- X9.31 Where can I find out more about the design choices for these stages? Peter Gutmann has several good papers on RNG design, as have some folks currently or formerly associated with

Re: [EMAIL PROTECTED]: Skype security evaluation]

2005-10-26 Thread Jack Lloyd
On Wed, Oct 26, 2005 at 07:47:22AM -0700, Dirk-Willem van Gulik wrote: On Mon, 24 Oct 2005, cyphrpunk wrote: Is it possible that Skype doesn't use RSA encryption? Or if they do, do they do it without using any padding, and is that safe? You may want to read the report itself:

Re: Pseudorandom Number Generator in Ansi X9.17

2005-11-10 Thread Jack Lloyd
On Thu, Nov 10, 2005 at 10:33:18AM +, Terence Joseph wrote: Hi, The Pseudorandom Number Generator specified in Ansi X9.17 used to be one of the best PRNGs available if I am correct. I was just wondering if this is still considered to be the case? Is it widely used in practical

Re: the effects of a spy

2005-11-18 Thread Jack Lloyd
On Thu, Nov 17, 2005 at 12:10:53PM -0500, John Kelsey wrote: c. Maybe they just got it wrong. SHA0 and SHA1 demonstrate that this is all too possible. (It's quite plausible to me that they have very good tools for analyzing block ciphers, but that they aren't or weren't sure how to best

Encryption using password-derived keys

2005-11-30 Thread Jack Lloyd
The basic scenario I'm looking at is encrypting some data using a password-derived key (using PBKDF2 with sane salt sizes and iteration counts). I am not sure if what I'm doing is sound practice or just pointless overengineering and wanted to get a sanity check. My inclination is to use the

Re: another feature RNGs could provide

2005-12-12 Thread Jack Lloyd
On Mon, Dec 12, 2005 at 12:20:26AM -0600, Travis H. wrote: 2) While CTR mode with a random key is sufficient for creating a permutation of N-bit blocks for a fixed N, is there a general-purpose way to create a N-bit permutation, where N is a variable? How about picking a cryptographically

Re: Looking for fast KASUMI implementation

2005-12-16 Thread Jack Lloyd
Define fast - KASUMI is based heavily on MISTY1. In fact, during a fast scan of the KASUMI spec, I couldn't see anywhere obvious where it different from MISTY1 at all. As far as I know, I'm the only person who has even tried writing fast code for MISTY1, and the result is quite dog-slow compared

Re: crypto for the average programmer

2005-12-17 Thread Jack Lloyd
On Fri, Dec 16, 2005 at 05:41:48PM +, Ben Laurie wrote: No, OpenSSL is self-contained. There is, IIRC, an engine that uses GMP if you want, but its entirely optional; OpenSSL has its own bignum implementation that's just as good. Last I checked, public key operations in OpenSSL were

Standard ways of PKCS #8 encryption without PKCS #5?

2005-12-23 Thread Jack Lloyd
Does anyone know of any 'standard' [*] ways of encrypting private keys in the usual PKCS #8 format without using password-based encryption? It is obviously not hard to do, as you can stick whatever you like into the encryptionAlgorithm field, so it would be easy to specify an plain encryption

Re: crypto for the average programmer

2005-12-27 Thread Jack Lloyd
On Tue, Dec 27, 2005 at 02:28:07PM +, Ben Laurie wrote: Apparently this rather depends on platform and compiler options. I am reliably informed that GMP is not always faster. For those that really care it'd be cool if someone did a careful comparison. It would also be interesting to


2006-01-03 Thread Jack Lloyd
Some relevant and recent data: in some tests I ran this weekend (GMP 4.1.2, OpenSSL 0.9.8a, Athlon/gcc/Linux) RSA operations using GMP were somewhat faster than ones using OpenSSL even when blinding was used with both (typical performance boost was 15-20%). I'm assume both of which are needed


2006-01-03 Thread Jack Lloyd
On Tue, Jan 03, 2006 at 10:10:50PM +, Ben Laurie wrote: Yes, you are - there's the cache attack, which requires the attacker to have an account on the same machine. I guess I shouldn't have called it constant time, since its really constant memory access that defends against this.

Re: thoughts on one time pads

2006-01-26 Thread Jack Lloyd
On Thu, Jan 26, 2006 at 05:30:36AM -0600, Travis H. wrote: [...] Excuse me? This would in fact be a _perfect_ way to distribute key material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn, gaim-encryption etc. etc. You see, he's right in that the key distribution problem is the

Re: general defensive crypto coding principles

2006-02-09 Thread Jack Lloyd
On Thu, Feb 09, 2006 at 05:01:05PM +1300, Peter Gutmann wrote: So you can use encrypt-then-MAC, but you'd better be *very* careful how you apply it, and MAC at least some of the additional non-message- data components as well. Looking at the definitions in the paper, I think it is pretty

Re: general defensive crypto coding principles

2006-02-11 Thread Jack Lloyd
On Fri, Feb 10, 2006 at 07:21:05PM +1300, Peter Gutmann wrote: Well, that's the exact problem that I pointed out in my previous message - in order to get this right, people have to read the mind of the paper author to divine their intent. Since the consumers of the material in the paper

Re: general defensive crypto coding principles

2006-02-14 Thread Jack Lloyd
On Tue, Feb 14, 2006 at 03:24:09AM +1300, Peter Gutmann wrote: 1. There are a great many special-case situations where no published protocol fits. As the author of a crypto toolkit, I could give you a list as long as your arm of user situations where no existing protocol can be applied

Re: Entropy Definition (was Re: passphrases with more than 160 bits of entropy)

2006-03-23 Thread Jack Lloyd
On Wed, Mar 22, 2006 at 03:29:07PM -0800, Aram Perez wrote: * How do you measure entropy? I was under the (false) impression that Shannon gave a formula that measured the entropy of a message (or information stream). He did give a formula for the entropy of a source; however the

Re: EDP (entropy distribution protocol), userland PRNG design

2006-07-02 Thread Jack Lloyd
On Sun, Jul 02, 2006 at 03:25:09AM -0500, Travis H. wrote: Going over old emails. On 10/12/05, Jack Lloyd [EMAIL PROTECTED] wrote: I prefer a multi-stage design, as described by various people smarter than I am: source(s) -- mixer -- pool -- extractor -- X9.31 Did you really mean

Re: A note on vendor reaction speed to the e=3 problem

2006-09-18 Thread Jack Lloyd
On Fri, Sep 15, 2006 at 09:48:16AM -0400, David Shaw wrote: GPG was not vulnerable, so no fix was issued. Incidentally, GPG does not attempt to parse the PKCS/ASN.1 data at all. Instead, it generates a new structure during signature verification and compares it to the original. Botan does

Re: DNSSEC to be strangled at birth.

2007-04-05 Thread Jack Lloyd
On Wed, Apr 04, 2007 at 05:51:27PM +0100, Dave Korn wrote: Can anyone seriously imagine countries like Iran or China signing up to a system that places complete control, surveillance and falsification capabilities in the hands of the US' military intelligence? How is this any different from

Re: no surprise - Sun fails to open source the crypto part of Java

2007-05-12 Thread Jack Lloyd
On Fri, May 11, 2007 at 04:42:47PM +0200, Ian G wrote: They also involve some elements of sound and cryptography, said Tom Marble, Sun's OpenJDK ambassador. We have already contacted the copyright holders. We were unable to negotiate release under an open-source license, Marble said. I

Re: New DoD encryption mandate

2007-08-20 Thread Jack Lloyd
On Fri, Aug 17, 2007 at 05:21:16PM -0700, Alex Alten wrote: Agreed, for most requirements. Sometimes one may need to keep keys in trusted hardware only. The only real fly-in-the-ointment is that current hash algorithms (SHA-1, SHA-2, etc.) don't scale across multiple CPU cores (assuming you

Re: Retailers try to push data responsibilities back to banks

2007-10-05 Thread Jack Lloyd
On Thu, Oct 04, 2007 at 06:48:49PM -0400, Leichter, Jerry wrote: Prat Moghe, founder and CTO of Tizor Systems Inc., a Maynard, Mass.-based security firm, called the NRF's demand political posturing and said it would do little to improve retail security anytime soon. I think a lot of this is

Re: Password vs data entropy

2007-10-27 Thread Jack Lloyd
On Thu, Oct 25, 2007 at 09:16:21PM -0700, Alex Pankratov wrote: Assuming the password is an English word or a phrase, and the secret is truly random, does it mean that the password needs to be 3100+ characters in size in order to provide a proper degree of protection to the value ? If

Re: More on in-memory zeroisation

2007-12-14 Thread Jack Lloyd
On Wed, Dec 12, 2007 at 05:27:38PM -0500, Thierry Moreau wrote: As a consequence of alleged consensus above, my understanding of the C standard would prevail and (memset)(?,0,?) would refer to an external linkage function, which would guarantee (to the sterngth of the above consensus)

Re: cold boot attacks on disk encryption

2008-02-21 Thread Jack Lloyd
On Thu, Feb 21, 2008 at 12:10:33PM -0500, Perry E. Metzger wrote: Ed Felten blogs on his latest research: http://www.freedom-to-tinker.com/?p=1257 Excerpt: Today eight colleagues and I are releasing a significant new research result. We show that disk encryption, the standard

Re: Protection for quasi-offline memory nabbing

2008-03-21 Thread Jack Lloyd
On Tue, Mar 18, 2008 at 09:46:45AM -0700, Jon Callas wrote: What operates like a block cipher on a large chunk? Tweakable modes like EME. Or as a non-patented alternative one could use the Bear/Lion constructions [1], which can encrypt arbitrary size blocks at reasonably good speeds (depending

Re: Double Encryption Q

2008-04-18 Thread Jack Lloyd
On Fri, Apr 11, 2008 at 04:30:47PM +0200, COMINT wrote: Quick system scenario: You have packet [A]. It gets encrypted using an AES algo in a particular mode and we are left with [zA]. More data [B] is added to that encrypted packet. Now I have [zA]+[B] in one packet and I re-encrypt

Re: Cruising the stacks and finding stuff

2008-04-23 Thread Jack Lloyd
On Wed, Apr 23, 2008 at 08:20:27AM -0400, Perry E. Metzger wrote: There are a variety of issues. Smart cards have limited capacity. Many key agreement protocols yield only limited amounts of key material. I'll leave it to others to describe why a rational engineer might use fewer key bits,

Re: SSL and Malicious Hardware/Software

2008-04-29 Thread Jack Lloyd
On Mon, Apr 28, 2008 at 10:03:38PM -0400, Victor Duchovni wrote: On Mon, Apr 28, 2008 at 03:12:31PM -0700, Ryan Phillips wrote: What are people's opinions on corporations using this tactic? I can't think of a great way of alerting the user, but I would expect a pretty reasonable level of

Comments on SP800-108

2008-05-05 Thread Jack Lloyd
would advise you to remember that crypto does not exist in a vacuum, and should help, not hinder, the overall security of a system. Regards, Jack Lloyd - The Cryptography Mailing List Unsubscribe by sending unsubscribe

Re: User interface, security, and simplicity

2008-05-06 Thread Jack Lloyd
On Tue, May 06, 2008 at 03:40:46PM +, Steven M. Bellovin wrote: In particular, with TLS the session key can be negotiated between two user contexts; with IPsec/IKE, it's negotiated between a user and a system. (Yes, I'm oversimplifying here.) Is there any reason (in principle) that

Re: Why doesn't Sun release the crypto module of the OpenSPARC?

2008-06-30 Thread Jack Lloyd
On Fri, Jun 27, 2008 at 12:19:04PM -0700, zooko wrote: and probably other commodity products). Likewise newfangled ciphers like Salsa20 and EnRUPT will be considered by me to be faster than AES (because they are faster in software) rather than slower (because AES might be built into the

Re: Strength in Complexity?

2008-07-02 Thread Jack Lloyd
On Wed, Jul 02, 2008 at 07:25:36AM -0400, Perry E. Metzger wrote: [EMAIL PROTECTED] (Peter Gutmann) writes: (Actually even that doesn't really explain something like IKE... :-). Having been peripherally involved in the causation change for IKE, let me confess that it was caused by human

Re: Kaminsky finds DNS exploit

2008-07-09 Thread Jack Lloyd
On Wed, Jul 09, 2008 at 05:36:02PM +0100, Ben Laurie wrote: Paul Hoffman wrote: First off, big props to Dan for getting this problem fixed in a responsible manner. If there were widespread real attacks first, it would take forever to get fixes out into the field. However, we in the security

Re: Who cares about side-channel attacks?

2008-10-24 Thread Jack Lloyd
On Mon, Oct 06, 2008 at 05:51:50PM +1300, Peter Gutmann wrote: For the past several years I've been making a point of asking users of crypto on embedded systems (which would be particularly good targets for side-channel attacks, particularly ones that provide content-protection capabilities)

Re: combining entropy

2008-10-24 Thread Jack Lloyd
On Fri, Oct 24, 2008 at 10:23:07AM -0500, Thierry Moreau wrote: Do you really trust that no single source of entropy can have knowledge of the other source's output, so it can surreptitiously correlate its own? I.e, you are are also assuming that these sources are *independent*. I do not

Re: combining entropy

2008-10-24 Thread Jack Lloyd
On Fri, Oct 24, 2008 at 03:20:24PM -0700, John Denker wrote: On 10/24/2008 01:12 PM, Jack Lloyd wrote: is a very different statement from saying that lacking such an attacker, you can safely assume your 'pools of entropy' (to quote the original question) are independent

Re: very high speed hardware RNG

2008-12-30 Thread Jack Lloyd
On Sun, Dec 28, 2008 at 08:12:09PM -0500, Perry E. Metzger wrote: Semiconductor laser based RNG with rates in the gigabits per second. http://www.physorg.com/news148660964.html My take: neat, but not as important as simply including a decent hardware RNG (even a slow one) in all PC

Re: very high speed hardware RNG

2008-12-30 Thread Jack Lloyd
On Tue, Dec 30, 2008 at 11:45:27AM -0500, Steven M. Bellovin wrote: Of course, every time a manufacturer has tried it, assorted people (including many on this list) complain that it's been sabotaged by the NSA or by alien space bats or some such. Well, maybe it has. Or maybe it was just not

Re: Property RIghts in Keys

2009-02-12 Thread Jack Lloyd
On Thu, Feb 12, 2009 at 10:49:37AM -0700, s...@acw.com wrote: If anybody can alter, revoke or reissue a certificate then I agree it is common property to which attaches no meaningful notion of property rights. If on the other hand only certain people can alter, revoke or reissue a

Distinguisher and Related-Key Attack on the Full AES-256

2009-05-22 Thread Jack Lloyd
Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic gave a talk at the Eurocrypt rump session, 'Distinguisher and Related-Key Attack on the Full AES-256', with the full paper accepted to Crypto. Slides from Eurocrypt are here:

Re: Popular explanation of fully homomorphic encryption wanted

2009-06-17 Thread Jack Lloyd
On Tue, Jun 16, 2009 at 09:31:36AM -0700, Hal Finney wrote: Udhay Shankar N quotes wikipedia: The question was finally resolved in 2009 with the development of the first true fully homomorphic cryptosystem. The scheme, constructed by Craig Gentry, employs lattice based encryption and allows

Re: What will happen to your crypto keys when you die?

2009-07-03 Thread Jack Lloyd
On Thu, Jul 02, 2009 at 09:29:30AM +1000, silky wrote: A potentially amusing/silly solution would be to have one strong key that you change monthly, and then, encrypt *that* key, with a method that will be brute-forceable in 2 months and make it public. As long as you are constantly changing

Re: Fast MAC algorithms?

2009-07-22 Thread Jack Lloyd
On Tue, Jul 21, 2009 at 07:15:02PM -0500, Nicolas Williams wrote: I've an application that is performance sensitive, which can re-key very often (say, every 15 minutes, or more often still), and where no MAC is accepted after 2 key changes. In one case the entity generating a MAC is also the

NIST announces SHA-3 round 2 candidates

2009-07-25 Thread Jack Lloyd
http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/submissions_rnd2.html A report summarizing NIST's selection of these candidates will be forthcoming. A year is allocated for the public review of these algorithms, and the Second SHA-3 Candidate Conference is being planned for August 23-24, 2010,

512 bit RSA key used for TI 83+ auth cracked

2009-08-18 Thread Jack Lloyd
It seems the TI-83+ operating system is protected using some form of code signing scheme using a 512 bit RSA key. That key has now been factored: http://www.unitedti.org/index.php?showtopic= Which apparently will allow custom operating systems to run on the device. While this certainly is

Re: [tahoe-dev] Tahoe-LAFS key management, part 2: Tahoe-LAFS is like encrypted git

2009-08-19 Thread Jack Lloyd
On Wed, Aug 19, 2009 at 09:28:45AM -0600, Zooko Wilcox-O'Hearn wrote: [*] Linus Torvalds got the idea of a Cryptographic Hash Function Directed Acyclic Graph structure from an earlier distributed revision control tool named Monotone. He didn't go out of his way to give credit to Monotone,

Re: RNG using AES CTR as encryption algorithm

2009-09-08 Thread Jack Lloyd
On Wed, Sep 02, 2009 at 10:58:03AM +0530, priya yelgar wrote: Hi all, I have implemented RNG using AES algorithm in CTR mode. To test my implementation I needed some test vectors. How ever I searched on the CSRC site, but found the test vectors for AES_CBC not for AES CTR. Please?

Re: Possibly questionable security decisions in DNS root management

2009-10-16 Thread Jack Lloyd
On Wed, Oct 14, 2009 at 10:43:48PM -0400, Jerry Leichter wrote: If the constraints elsewhere in the system limit the number of bits of signature you can transfer, you're stuck. Presumably over time you'd want to go to a more bit-efficient signature scheme, perhaps using ECC. Even plain

Re: Possibly questionable security decisions in DNS root management

2009-10-20 Thread Jack Lloyd
On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote: DSA was (designed to be) full of covert channels. True, but TCP and UDP are also full of covert channels. And if you are worried that your signing software or hardware is compromised and leaking key bits, you have larger problems, no

Re: hedging our bets -- in case SHA-256 turns out to be insecure

2009-11-16 Thread Jack Lloyd
On Wed, Nov 11, 2009 at 10:03:45AM +0800, Sandy Harris wrote: C(x) = H1(H1(x) || H2(x)) This requires two hash(x) operations. A naive implementation needs two passes through the data and avoiding that does not appear to be trivial. This is not ideal since you seem very concerned about

Re: Intel to also add RNG

2010-07-12 Thread Jack Lloyd
On Mon, Jul 12, 2010 at 12:22:51PM -0400, Perry E. Metzger wrote: BTW, let me note that if Intel wanted to gimmick their chips to make them untrustworthy, there is very little you could do about it. The literature makes it clear at this point that short of carefully tearing apart and

Re: A mighty fortress is our PKI

2010-07-27 Thread Jack Lloyd
On Tue, Jul 27, 2010 at 06:07:02PM -0600, Paul Tiemann wrote: IE6-is-dead parties. Could some intelligent web designers come up with a few snippets of code in the various web flavors (PHP, ASP, JSP, etc) for people to easily install and include on their sites (as part of a movement to

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Jack Lloyd
On Wed, Jul 28, 2010 at 08:48:14AM -0400, Steven Bellovin wrote: There seem to be at least three different questions here: bad code (i.e., that Windows doesn't check the revocation status properly), the UI issue, and the conceptual question of what should replace the current PKI+{CRL,OCSP}

Re: deliberately crashing ancient computers (was: Re: A mighty fortress is our PKI)

2010-07-28 Thread Jack Lloyd
On Wed, Jul 28, 2010 at 11:04:30AM -0400, Jonathan Thornburg wrote: On Tue, 27 Jul 2010, Jack Lloyd suggested: http://www.crashie.com/ - if you're feeling malicious, just include the one line JavaScript that will make IE6 crash, maybe eventually the user will figure it out. (Or maybe

Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic

2010-10-06 Thread Jack Lloyd
On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote: Right, because the problem with commercial PKI is all those attackers who are factoring 1024-bit moduli, and apart from that every other bit of it works perfectly. _If_ Mozilla and the other browser vendors actually go through

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Jack Lloyd
On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote: a) The very reference you give says that to be equivalent to 128 bits symmetric, you'd need a 3072 bit RSA key - but they require a 2048 bit key. And the same reference says that to be equivalent to 256 bits symmetric, you need

Re: [Cryptography] Suite B after today's news

2013-09-06 Thread Jack Lloyd
I think that any of OCB, CCM, or EAX are preferable from a security standpoint, but none of them parallelize as well. If you want to do a lot of encrypted and authenticated high-speed link encryption, well, there is likely no other answer. It's GCM or nothing. OCB parallelizes very well in