Re: Nullsoft's WASTE communication system

2003-06-02 Thread John Kelsey
is whether those equation-solving attacks can really be used against AES, and there doesn't seem to be anyone who's completely confident of the answer to that question. ... Bear --John Kelsey, [EMAIL PROTECTED] PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259

Re: Non-repudiation (was RE: The PAIN mnemonic)

2004-01-02 Thread John Kelsey
agency. :-) Surely a better government-related TLA for this would be derived from Non-changeability, Secrecy, and Authentication :) Richard --John Kelsey, [EMAIL PROTECTED] PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259

Re: I don't know PAIN...

2004-01-02 Thread John Kelsey
but a hash function, and for all the variants of the Merkle puzzle schemes I can think of. (Which are public key, but just barely.) ... -- Jerry --John Kelsey, [EMAIL PROTECTED] PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259

RE: voting

2004-04-15 Thread John Kelsey
leave it unchanged. Peter Trei --John Kelsey, [EMAIL PROTECTED], who is definitely speaking only for himself. PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259 - The Cryptography Mailing List Unsubscribe by sending

Re: cryptograph(y|er) jokes?

2004-06-25 Thread John Kelsey
From: bear [EMAIL PROTECTED] Sent: Jun 22, 2004 3:46 PM Bob and Alice routinely discuss bombs, terrorism, tax cheating, sexual infidelity, and deviant sex over the internet. They conspire to commit crimes, share banned texts and suppressed news, or topple tyrannical governments whose

Re: Cryptography and the Open Source Security Debate

2004-08-10 Thread John Kelsey
From: lrk [EMAIL PROTECTED] Sent: Aug 6, 2004 1:04 PM To: R. A. Hettinga [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Cryptography and the Open Source Security Debate ... More dangerous is a key generator which deliberately produces keys which are easy to factor by someone knowing

Re: On hash breaks, was Re: First quantum crypto bank transfer

2004-08-25 Thread John Kelsey
--John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: HMAC?

2004-08-26 Thread John Kelsey
explanation in the Wang, et. al. paper, which hasn't been released yet. --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: ?splints for broken hash functions

2004-09-01 Thread John Kelsey
From: Ivan Krstic [EMAIL PROTECTED] Sent: Aug 29, 2004 8:40 AM To: Metzdowd Crypto [EMAIL PROTECTED] Subject: Re: ?splints for broken hash functions This is Schneier's and Ferguson's solution to then-known hash function weaknesses in Practical Cryptography, Wiley Publishing, 2003: We do not

Re: Implementation choices in light of recent attacks?

2004-09-06 Thread John Kelsey
.) Bear --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Academics locked out by tight visa controls

2004-09-20 Thread John Kelsey
From: R. A. Hettinga [EMAIL PROTECTED] Sent: Sep 20, 2004 8:33 AM Subject: Academics locked out by tight visa controls http://www.mercurynews.com/mld/mercurynews/9710963.htm?template=contentModules/printstory.jsp Posted on Mon, Sep. 20, 2004 Academics locked out by tight visa controls U.S.

Re: Time for new hash standard

2004-09-22 Thread John Kelsey
From: Ian Farquhar [EMAIL PROTECTED] Sent: Sep 20, 2004 10:14 PM To: \Hal Finney\ [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Time for new hash standard At 05:43 AM 21/09/2004, Hal Finney wrote: I believe this is a MAC, despite the name. It seems to be easier to

Re: AES Modes

2004-10-12 Thread John Kelsey
From: Ian Grigg [EMAIL PROTECTED] Sent: Oct 10, 2004 11:11 AM To: Metzdowd Crypto [EMAIL PROTECTED] Subject: AES Modes I'm looking for basic mode to encrypt blocks (using AES) of about 1k in length, +/- an order of magnitude. Looking at the above table (2nd link) there are oodles of proposed

Re: Linux-based wireless mesh suite adds crypto engine support

2004-10-05 Thread John Kelsey
. I'm sure there are some clever crypto protocol ways to address this (basically, do a zero-knowledge proof of the value of the random number you used in deriving the key), but I have a hard time thinking this is at all practical John --John Kelsey

Re: IBM's original S-Boxes for DES?

2004-10-06 Thread John Kelsey
From: Dave Howe [EMAIL PROTECTED] Sent: Oct 5, 2004 12:32 PM To: [EMAIL PROTECTED] Subject: Re: IBM's original S-Boxes for DES? More accurately, they didn't protect against linear cryptanalysis - there is no way to know if they knew about it and either didn't want to make changes to protect

A new academic hash result on the preprint server

2004-11-18 Thread John Kelsey
Guys, Bruce and I have a new result on hash function security, which uses Joux' multicollision trick in a neat way to allow long-message second preimage attacks. We've posted it to the e-print server. The basic result is that for any n-bit hash function built along the lines of SHA1 or

Re: Gov't Orders Air Passenger Data for Test

2004-11-21 Thread John Kelsey
News story quoted by RAH: WASHINGTON - The government on Friday ordered airlines to turn over personal information about passengers who flew within the United States in June in order to test a new system for identifying potential terrorists. The interesting thing here is that they can't really

Re: MD5 To Be Considered Harmful Someday

2004-12-08 Thread John Kelsey
--John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Blinky Rides Again: RCMP suspect al-Qaida messages

2004-12-13 Thread John Kelsey
From: Adam Shostack [EMAIL PROTECTED] Sent: Dec 11, 2004 4:52 PM Subject: Re: Blinky Rides Again: RCMP suspect al-Qaida messages ... It seems consistent that Al Qaeda prefers being 'fish in the sea' to standing out by use of crypto. Also, given the depth and breadth of conspiracies they believe

Re: The Pointlessness of the MD5 attacks

2004-12-15 Thread John Kelsey
From: Ben Laurie [EMAIL PROTECTED] Sent: Dec 14, 2004 9:43 AM To: Cryptography [EMAIL PROTECTED] Subject: The Pointlessness of the MD5 attacks Dan Kaminsky's recent posting seems to have caused some excitement, but I really can't see why. In particular, the idea of having two different

Re: The Pointlessness of the MD5 attacks

2004-12-22 Thread John Kelsey
From: Ben Laurie [EMAIL PROTECTED] Sent: Dec 22, 2004 12:24 PM To: David Wagner [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: The Pointlessness of the MD5 attacks ... Assuming you could find a collision s.t. the resulting decryption looked safe with one version and unsafe with the

Re: entropy depletion (was: SSL/TLS passive sniffing)

2005-01-07 Thread John Kelsey
the PRNG is in a known state, and the time when it's used to generate an output. --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Entropy and PRNGs

2005-01-10 Thread John Kelsey
From: John Denker [EMAIL PROTECTED] Sent: Jan 10, 2005 12:21 AM To: David Wagner [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Entropy and PRNGs Conditioned on everything known to the attacker, of course. Well, of course indeed! That notion of entropy -- the entropy in the

Re: Simson Garfinkel analyses Skype - Open Society Institute

2005-01-30 Thread John Kelsey
) to be eavesdropped by moderately technically savvy nosy neighbors, and because there are a lot of criminals who are using more technology, and will surely target VOIP if they think they can make any money off it. Adam --John Kelsey

Re: SHA-1 cracked

2005-02-17 Thread John Kelsey
no successful attacks on SHA-1. Well, there *weren't* any a week ago --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe

Re: SHA-1 cracked

2005-02-22 Thread John Kelsey
. This is what it looks like when someone develops a new class of attack that breaks a whole bunch of your available cryptographic primitives in a big hurry. Joe --John Kelsey - The Cryptography Mailing

Re: NSA warned Bush it needed to monitor networks

2005-03-25 Thread John Kelsey
and debasement. I suspect something very similar happens with the watchlists. I wonder how many different layers of watchlist there are by now --digsig James A. Donald --John Kelsey - The Cryptography Mailing

Re: Papers about Algorithm hiding ?

2005-06-06 Thread John Kelsey
disclosure. It's just *your* data they don't mind giving out to random criminals. No amount of crypto could have helped this. iang --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography

Re: Papers about Algorithm hiding ?

2005-06-07 Thread John Kelsey
From: Ian G [EMAIL PROTECTED] Sent: Jun 7, 2005 7:43 AM To: John Kelsey [EMAIL PROTECTED] Cc: Steve Furlong [EMAIL PROTECTED], cryptography@metzdowd.com Subject: Re: Papers about Algorithm hiding ? [My comment was that better crypto would never have prevented the Choicepoint data leakage. --JMK

Re: expanding a password into many keys

2005-06-13 Thread John Kelsey
is going through K1. This doesn't look like an especially realistic attack model, but I'm not sure what you're doing with this iang --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe

Re: NIST Public Workshop on Cryptographic Hashes

2005-06-15 Thread John Kelsey
. Informally, we're calling this the halloween hash bash. Come dressed as your favorite hash function! If you want to have some impact on where we go with hash functions, this is a good thing to attend Perry E. Metzger [EMAIL PROTECTED] --John Kelsey, NIST

Re: expanding a password into many keys

2005-06-15 Thread John Kelsey
or the complementation property of DES--it doesn't keep the crypto mechanism from being used securely, but it does make the job of an engineer trying to use it needlessly more complicated. Greg RoseINTERNET: [EMAIL PROTECTED] --John Kelsey

Re: Collisions for hash functions: how to exlain them to your boss

2005-06-15 Thread John Kelsey
at all to make this kind of attack pattern work. It's a heck of a lot easier to say don't use MD5. ... -Ekr --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: /dev/random is probably not

2005-07-05 Thread John Kelsey
From: Charles M. Hannum [EMAIL PROTECTED] Sent: Jul 3, 2005 7:42 AM To: Don Davis [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: /dev/random is probably not ... Also, I don't buy for a picosecond that you have to gather all timings in order to predict the output. As we know from

halloween hash bash reminder--July 15 deadline

2005-07-11 Thread John Kelsey
we can fit you onto the agenda for some discussion time. --John Kelsey, NIST, July 2005 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: ID theft -- so what?

2005-07-14 Thread John Kelsey
and simple application. Aram Perez --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Possibly new result on truncating hashes

2005-08-01 Thread John Kelsey
Guys, I have what seems like a new and interesting result, which I haven't seen before, but which may or may not be new. The high order bit is that you can't generally guarantee that truncating your hash (chopping off some bits) won't weaken it. That is, if you chop SHA256 off to 160 bits as

Re: draft paper: Deploying a New Hash Algorithm

2005-08-06 Thread John Kelsey
, and what makes me obey that rule? or what would happen if I didn't do such and so? --Steven M. Bellovin, http://www.cs.columbia.edu/~smb --John Kelsey - The Cryptography Mailing List Unsubscribe by sending

Re: solving the wrong problem

2005-08-06 Thread John Kelsey
security on one part of the system while ignoring the bigger vulnerabilities. But this is a bit different Perry --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Possible non-extension property for hash functions

2005-08-08 Thread John Kelsey
sequentially does eliminate the simple length-extension property, but there are variations on it that can still be used--that's why Joux multicollisions can be found even when you process the message twice sequentially. Are there other ways I'm not seeing to do this? ... Cheers - Bill --John Kelsey

Re: How much for a DoD X.509 certificate?

2005-08-11 Thread John Kelsey
From: Peter Gutmann [EMAIL PROTECTED] Sent: Aug 11, 2005 7:42 AM To: cryptography@metzdowd.com Subject: How much for a DoD X.509 certificate? $25 and a bit of marijuana, apparently. See: http://www.wjla.com/news/stories/0305/210558.html http://www.wjla.com/news/stories/0105/200474.html

herding attack paper submitted to ePrint archive

2005-08-22 Thread John Kelsey
analytically, though that gets more complicated), I can also break most systems that use a hash function to prove prior knowledge. I gave a rump session talk on this a few days ago at Crypto. --John Kelsey, NIST, August 2005

Another entry in the internet security hall of shame....

2005-08-23 Thread John Kelsey
technical support, and I got this really encouraging reply / Dear John Kelsey, Thank you for contacting us. I understand that you are having problems viewing Webmail and that it send out an error on SSL certificate. I suggest that you try lowering the security settings of your Internet

Re: multiple keys to 1

2005-09-15 Thread John Kelsey
From: rbg9000 [EMAIL PROTECTED] Sent: Sep 8, 2005 3:01 PM To: cryptography@metzdowd.com Subject: multiple keys to 1 Sorry, I really don't know much about encryption, and my google searches haven't turned up much. I wondering if it's possible to reduce a set of symmetric keys (aes, twofish,

Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-25 Thread John Kelsey
From: cyphrpunk [EMAIL PROTECTED] Sent: Oct 24, 2005 5:58 PM To: John Kelsey [EMAIL PROTECTED] Subject: Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems ... Digital wallets will require real security in user PCs. Still I don't see why we don't already have

Re: On the orthogonality of anonymity to current market demand

2005-10-26 Thread John Kelsey
both kinds of payment system are susceptible to the same broad classes of attacks (bank misbehavior (for a short time), someone finding a software bug, someone breaking a crypto algorithm or protocol). What makes one more secure than the other? ... Cheers, RAH --John Kelsey

Re: On Digital Cash-like Payment Systems

2005-10-31 Thread John Kelsey
From: cyphrpunk [EMAIL PROTECTED] Sent: Oct 27, 2005 9:15 PM To: James A. Donald [EMAIL PROTECTED] Cc: cryptography@metzdowd.com, [EMAIL PROTECTED] Subject: Re: On Digital Cash-like Payment Systems On 10/26/05, James A. Donald [EMAIL PROTECTED] wrote: How does one inflate a key? Just make it

Re: timing attack countermeasures (nonrandom but unpredictable delays)

2005-11-17 Thread John Kelsey
of parts of k or parts of x. --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: the effects of a spy

2005-11-17 Thread John Kelsey
! -- Jerry --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Encryption using password-derived keys

2005-12-02 Thread John Kelsey
such a clever trick. -Jack --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: thoughts on one time pads

2006-01-27 Thread John Kelsey
is too important to be left to chance. -- Robert R. Coveyou -- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B --John Kelsey - The Cryptography Mailing List Unsubscribe

Re: NPR : E-Mail Encryption Rare in Everyday Use

2006-02-26 Thread John Kelsey
., but eavesdropping and a lot of impersonation and spam and phishing would get much harder. Peter --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: pipad, was Re: bounded storage model - why is R organized as 2-d array?

2006-03-21 Thread John Kelsey
--John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Entropy Definition (was Re: passphrases with more than 160 bits of entropy)

2006-03-23 Thread John Kelsey
From: Jack Lloyd [EMAIL PROTECTED] Sent: Mar 22, 2006 11:30 PM To: cryptography@metzdowd.com Subject: Re: Entropy Definition (was Re: passphrases with more than 160 bits of entropy) ... As an aside, this whole discussion is confused by the fact that there are a bunch of different domains in

Re: Entropy Definition (was Re: passphrases with more than 160 bits of entropy)

2006-03-23 Thread John Kelsey
From: John Denker [EMAIL PROTECTED] Sent: Mar 23, 2006 1:44 PM To: John Kelsey [EMAIL PROTECTED], cryptography@metzdowd.com Subject: Re: Entropy Definition (was Re: passphrases with more than 160 bits of entropy) ... With some slight fiddling to get the normalization right, 1/2 raised

Re: Linux RNG paper

2006-03-23 Thread John Kelsey
to initialize a PRNG based on running AES-128 in counter mode? David. --John Kelsey, NIST - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

RE: Entropy Definition (was Re: passphrases with more than 160 bits of entropy)

2006-03-25 Thread John Kelsey
Zenner Phone: +45 39 17 96 06Cryptico A/S Chief Cryptographer Mobile: +45 60 77 95 41Fruebjergvej 3 [EMAIL PROTECTED] www.cryptico.com DK 2100 Copenhagen --John Kelsey, NIST - The Cryptography Mailing

Re: Entropy Definition (was Re: passphrases with more than 160 bits of entropy)

2006-03-26 Thread John Kelsey
, either directly or via sampling the microphone like the Turbid design does, you're probably on much firmer ground.) --John Kelsey, NIST - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Re: [Cfrg] HMAC-MD5

2006-04-01 Thread John Kelsey
extends the best attack on FEAL to 64 rounds, that will be cool, but nobody will be scrambling to replace FEAL in their products and protocols.) Vlastimil Klima --John Kelsey, NIST - The Cryptography Mailing List Unsubscribe

A weird macro virus story

2006-06-23 Thread John Kelsey
Guys, Some of my co-workers here at NIST got an email macro virus which appeared to be targeted to cryptographers. It appeared to be addressed to Moti Yung, and come from Lawrie Brown and Henri Gilbert (though that name was misspelled, maybe a transcription error from an alternate character

Re: Interesting bit of a quote

2006-07-13 Thread John Kelsey
retention which are applied to DREs; the procedures make lots of sense for paper ballots, but no sense at all for DREs. I wonder how many other areas of computer and more general security have this same kind of issue. --John Kelsey, NIST

Re: Interesting bit of a quote

2006-07-16 Thread John Kelsey
From: Travis H. [EMAIL PROTECTED] Sent: Jul 14, 2006 11:22 PM To: David Mercer [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Interesting bit of a quote ... The problem with this is determining if the media has been replaced. Absent other protections, one could simply write a new

Re: [Cryptography] NSA and cryptanalysis

2013-08-31 Thread John Kelsey
If I had to bet, I'd bet on bad rngs as the most likely source of a breakthrough in decrypting lots of encrypted traffic from different sources. --John ___ The cryptography mailing list cryptography@metzdowd.com

Re: [Cryptography] Functional specification for email client?

2013-08-31 Thread John Kelsey
I think it makes sense to separate out the user-level view of what happens (the first five or six points) from how it's implemented (the last few points, and any other implementation discussions). In order for security to be usable, the user needs to know what he is being promised by the

Re: [Cryptography] NSA and cryptanalysis

2013-09-01 Thread John Kelsey
What I think we are worried about here are very widespread automated attacks, and they're passive (data is collected and then attacks are run offline). All that constrains what attacks make sense in this context. You need attacks that you can run in a reasonable time, with minimal

Re: [Cryptography] Backup is completely separate

2013-09-02 Thread John Kelsey
The backup access problem isn't just a crypto problem, it's a social/legal problem. There ultimately needs to be some outside mechanism for using social or legal means to ensure that, say, my kids can get access to at least some of my encrypted files after I drop dead or land in the hospital

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread John Kelsey
First, I don't think it has anything to do with Dual EC DRGB. Who uses it? My impression is that most of the encryption that fits what's in the article is TLS/SSL. That is what secures most encrypted content going online. The easy way to compromise that in a passive attack is to compromise

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread John Kelsey
On Thu, 5 Sep 2013 19:14:53 -0400 John Kelsey crypto@gmail.com wrote: First, I don't think it has anything to do with Dual EC DRGB. Who uses it? It did *seem* to match the particular part of the story about a subverted standard that was complained about by Microsoft researchers. I

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread John Kelsey
I don't see what problem would actually be solved by dropping public key crypto in favor of symmetric only designs. I mean, if the problem is that all public key systems are broken, then yeah, we will have to do something else. But if the problem is bad key generation or bad implementations,

Re: [Cryptography] FIPS, NIST and ITAR questions

2013-09-06 Thread John Kelsey
Sent from my iPad On Sep 3, 2013, at 6:06 PM, Jerry Leichter leich...@lrw.com wrote: On Sep 3, 2013, at 3:16 PM, Faré fah...@gmail.com wrote: Can't you trivially transform a hash into a PRNG, a PRNG into a cypher, and vice versa? No. hash-PRNG: append blocks that are digest (seed ++

Re: [Cryptography] FIPS, NIST and ITAR questions

2013-09-06 Thread John Kelsey
... Let H(X) = SHA-512(X) || SHA-512(X) where '||' is concatenation. Assuming SHA-512 is a cryptographically secure hash H trivially is as well. (Nothing in the definition of a cryptographic hash function says anything about minimality.) But H(X) is clearly not useful for producing a

Re: [Cryptography] In the face of cooperative end-points, PFS doesn't help

2013-09-08 Thread John Kelsey
Your cryptosystem should be designed with the assumption that an attacker will record all old ciphertexts and try to break it later. The whole point of encryption is to make that attack not scary. We can never rule out future attacks, or secret ones now. But we can move away from marginal

Re: [Cryptography] XORing plaintext with ciphertext

2013-09-08 Thread John Kelsey
It depends on the encryption scheme used. For a stream cipher (including AES in counter or OFB mode), this yields the keystream. If someone screws up and uses the same key and IV twice, you can use knowledge of the first plaintext to learn the second. For other AES chaining modes, it's less

Re: [Cryptography] Why prefer symmetric crypto over public key crypto?

2013-09-08 Thread John Kelsey
On Sep 7, 2013, at 3:25 PM, Christian Huitema huit...@huitema.net wrote: Another argument is “minimal dependency.” If you use public key, you depend on both the public key algorithm, to establish the key, and the symmetric key algorithm, to protect the session. If you just use symmetric

Re: [Cryptography] [cryptography] Random number generation influenced, HW RNG

2013-09-08 Thread John Kelsey
There are basically two ways your RNG can be cooked: a. It generates predictable values. Any good cryptographic PRNG will do this if seeded by an attacker. Any crypto PRNG seeded with too little entropy can also do this. b. It leaks its internal state in its output in some encrypted way.

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-08 Thread John Kelsey
Let's suppose I design a block cipher such that, with a randomly generated key and 10,000 known plaintexts, I can recover that key. For this to be useful in a world with relatively sophisticated cryptanalysts, I must have confidence that it is extremely hard to find my trapdoor, even when you

Re: [Cryptography] Techniques for malevolent crypto hardware

2013-09-08 Thread John Kelsey
On Sep 8, 2013, at 3:55 PM, Thor Lancelot Simon t...@rek.tjls.com wrote: ... I also wonder -- again, not entirely my own idea, my whiteboard partner can speak up for himself if he wants to -- about whether we're going to make ourselves better or worse off by rushing to the safety of PFS

Re: [Cryptography] Random number generation influenced, HW RNG

2013-09-09 Thread John Kelsey
On Sep 9, 2013, at 6:32 PM, Perry E. Metzger pe...@piermont.com wrote: First, David, thank you for participating in this discussion. To orient people, we're talking about whether Intel's on-chip hardware RNGs should allow programmers access to the raw HRNG output, both for validation

Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)

2013-09-13 Thread John Kelsey
On Sep 10, 2013, at 3:56 PM, Bill Stewart bill.stew...@pobox.com wrote: One point which has been mentioned, but perhaps not emphasised enough - if NSA have a secret backdoor into the main NIST ECC curves, then even if the fact of the backdoor was exposed - the method is pretty well known -

[Cryptography] one time pads

2013-09-13 Thread John Kelsey
Switching from AES to one-time pads to solve your practical cryptanalysis problems is silly. It replaces a tractable algorithm selection problem with a godawful key management problem, when key management is almost certainly the practical weakness in any broken system designed by non-idiots.

Re: [Cryptography] Security is a total system problem (was Re: Perfection versus Forward Secrecy)

2013-09-14 Thread John Kelsey
On Sep 13, 2013, at 3:23 PM, Perry E. Metzger pe...@piermont.com wrote: The problem these days is not that something like AES is not good enough for our purposes. The problem is that we too often build a reinforced steel door in a paper wall. Also, if AES being insufficiently strong is our

Re: [Cryptography] real random numbers

2013-09-14 Thread John Kelsey
Your first two categories are talking about the distribution of entropy--we assume some unpredictability exists, and we want to quantify it in terms of bits of entropy per bit of output. That's a useful distinction to make, and as you said, if you can get even a little entropy per bit and know

Re: [Cryptography] real random numbers

2013-09-15 Thread John Kelsey
On Sep 15, 2013, at 6:49 AM, Kent Borg kentb...@borg.org wrote: John Kelsey wrote: I think the big problem with (b) is in quantifying the entropy you get. Maybe don't. When Bruce Schneier last put his hand to designing an RNG he concluded that estimating entropy is doomed. I don't

Re: [Cryptography] The paranoid approach to crypto-plumbing

2013-09-17 Thread John Kelsey
On Sep 17, 2013, at 11:41 AM, Perry E. Metzger pe...@piermont.com wrote: I confess I'm not sure what the current state of research is on MAC then Encrypt vs. Encrypt then MAC -- you may want to check on that. Encrypt then MAC has a couple of big advantages centering around the idea that you

Re: [Cryptography] The paranoid approach to crypto-plumbing

2013-09-17 Thread John Kelsey
For hash functions, MACs, and signature schemes, simply concatenating hashes/MACs/signatures gives you at least the security of the stronger one. Joux multicollisions simply tell us that concatenating two or more hashes of the same size doesn't improve their resistance to brute force collsion

Re: [Cryptography] The paranoid approach to crypto-plumbing

2013-09-17 Thread John Kelsey
Arggh! Of course, this superencryption wouldn't help against the CBC padding attacks, because the attacker would learn plaintext without bothering with the other layers of encryption. The only way to solve that is to preprocess the plaintext in some way that takes the attacker's power to

Re: [Cryptography] PRISM-Proofing and PRISM-Hardening

2013-09-22 Thread John Kelsey
On Sep 19, 2013, at 5:21 PM, Phillip Hallam-Baker hal...@gmail.com wrote: Criminals circumvent the WebPKI rather than trying to defeat it. If they did start breaking the WebPKI then we can change it and do something different. If criminals circumvent the PKI to steal credit card numbers,

Re: [Cryptography] Gilmore response to NSA mathematician's make rules for NSA appeal

2013-09-24 Thread John Kelsey
On Sep 18, 2013, at 3:27 PM, Kent Borg kentb...@borg.org wrote: You foreigners actually have a really big vote here. All those US internet companies want your business, and as you get no protections, in the current scheme, not even lip-service, you should look for alternatives. As you do,

Re: [Cryptography] Gilmore response to NSA mathematician's make rules for NSA appeal

2013-09-25 Thread John Kelsey
On Sep 25, 2013, at 2:52 AM, james hughes hugh...@mac.com wrote: Many, if not all, service providers can provide the government valuable information regarding their customers. This is not limited to internet service providers. It includes banks, health care providers, insurance companies,

Re: [Cryptography] check-summed keys in secret ciphers?

2013-09-30 Thread John Kelsey
GOST was specified with S boxes that could be different for different applications, and you could choose s boxes to make GOST quite weak. So that's one example. --John ___ The cryptography mailing list cryptography@metzdowd.com

Re: [Cryptography] RSA equivalent key length/strength

2013-09-30 Thread John Kelsey
Having read the mail you linked to, it doesn't say the curves weren't generated according to the claimed procedure. Instead, it repeats Dan Bernstein's comment that the seed looks random, and that this would have allowed NSA to generate lots of curves till they found a bad one. it looks to

[Cryptography] Sha3

2013-09-30 Thread John Kelsey
If you want to understand what's going on wrt SHA3, you might want to look at the nist website, where we have all the slide presentations we have been giving over the last six months detailing our plans. There is a lively discussion going on at the hash forum on the topic. This doesn't make

Re: [Cryptography] NIST about to weaken SHA3?

2013-10-01 Thread John Kelsey
On Oct 1, 2013, at 4:48 AM, ianG i...@iang.org wrote: ... This could be the uninformed opinion over unexpected changes. It could also be the truth. How then to differentiate? Do we need to adjust the competition process for a tweak phase? Let's whiteboard. Once The One is chosen, have

Re: [Cryptography] AES-256- More NIST-y? paranoia

2013-10-02 Thread John Kelsey
On Oct 1, 2013, at 5:58 PM, Peter Fairbrother zenadsl6...@zen.co.uk wrote: AES, the latest-and-greatest block cipher, comes in two main forms - AES-128 and AES-256. AES-256 is supposed to have a brute force work factor of 2^256 - but we find that in fact it actually has a very similar

Re: [Cryptography] are ECDSA curves provably not cooked? (Re: RSA equivalent key length/strength)

2013-10-02 Thread John Kelsey
On Oct 1, 2013, at 12:51 PM, Adam Back a...@cypherspace.org wrote: [Discussing how NSA might have generated weak curves via trying many choices till they hit a weak-curve class that only they knew how to solve.] ... But the more interesting question I was referring to is a trapdoor weakness

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-02 Thread John Kelsey
Has anyone tried to systematically look at what has led to previous crypto failures? That would inform us about where we need to be adding armor plate. My impression (this may be the availability heuristic at work) is that: a. Most attacks come from protocol or mode failures, not so much

Re: [Cryptography] RSA equivalent key length/strength

2013-10-02 Thread John Kelsey
On Oct 2, 2013, at 9:54 AM, Paul Crowley p...@ciphergoth.org wrote: On 30 September 2013 23:35, John Kelsey crypto@gmail.com wrote: If there is a weak curve class of greater than about 2^{80} that NSA knew about 15 years ago and were sure nobody were ever going to find that weak curve

Re: [Cryptography] Sha3 and selecting algorithms for speed

2013-10-05 Thread John Kelsey
Most applications of crypto shouldn't care much about performance of the symmetric crypto, as that's never the thing that matters for slowing things down. But performance continues to matter in competitions and algorithm selection for at least three reasons: a. We can measure performance,

[Cryptography] Performance vs security

2013-10-05 Thread John Kelsey
There are specific algorithms where you have a pretty clear-cut security/performance tradeoff. RSA and ECC both give you some choice of security level that has a big impact in terms of performance. AES and SHA2 and eventually SHA3 offer you some secuirty level choices, but the difference in

Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

2013-10-05 Thread John Kelsey
On Oct 4, 2013, at 10:10 AM, Phillip Hallam-Baker hal...@gmail.com wrote: ... Dobertin demonstrated a birthday attack on MD5 back in 1995 but it had no impact on the security of certificates issued using MD5 until the attack was dramatically improved and the second pre-image attack became

  1   2   >