AW: Possibly new result on truncating hashes

2005-08-02 Thread Kuehn, Ulrich
John Kelsey wrote: Unfortunately, we can't make this argument, because this postulated collision algorithm can't be used to find a collision in the whole SHA256 more efficiently than brute force. Let's do the counting argument: Each time we call the 160-bit collision algorithm, we

AW: [EMAIL PROTECTED]: Skype security evaluation]

2005-10-31 Thread Kuehn, Ulrich
-Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von cyphrpunk Gesendet: Freitag, 28. Oktober 2005 06:07 An: [EMAIL PROTECTED]; cryptography@metzdowd.com Betreff: Re: [EMAIL PROTECTED]: Skype security evaluation] Wasn't there a rumor last year

AW: [Clips] Banks Seek Better Online-Security Tools

2005-12-07 Thread Kuehn, Ulrich
-Ursprüngliche Nachricht- Von: Nicholas Bohm [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 6. Dezember 2005 12:03 An: Florian Weimer Cc: cryptography@metzdowd.com Betreff: Re: [Clips] Banks Seek Better Online-Security Tools Florian Weimer wrote: * Nicholas Bohm: [...] I

RE: Linux RNG paper

2006-05-05 Thread Kuehn, Ulrich
From: Travis H. [mailto:[EMAIL PROTECTED] On 5/4/06, markus reichelt [EMAIL PROTECTED] wrote: Agreed; but regarding unix systems, I know of none crypto implementation that does integrity checking. Not just de/encrypt the data, but verify that the encrypted data has not been tampered

RE: the meaning of linearity, was Re: picking a hash function to be encrypted

2006-05-17 Thread Kuehn, Ulrich
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] The thing I've always wondered about stream ciphers is why we only talk about linear ones. A stream cipher is fundamentally constructed of two things: A stream of bits (alleged to be unpredictable) as long as

RE: IGE mode is broken (Re: IGE mode in OpenSSL)

2006-09-13 Thread Kuehn, Ulrich
-Original Message- From: Ben Laurie [mailto:[EMAIL PROTECTED] Sent: Samstag, 9. September 2006 22:39 To: Adam Back Cc: Travis H.; Cryptography; Anton Stiglic Subject: Re: IGE mode is broken (Re: IGE mode in OpenSSL) [...] In any case, I am not actually interested IGE itself,

RE: Why the exponent 3 error happened:

2006-09-18 Thread Kuehn, Ulrich
I noticed the exact same code being present in the mozilla 1.7.13 source ... I wonder what the correct consequence would be? Have us crypto people proof-read all relevant source code? Better educate developers? Interestingly the attacker's playground between the 0, 1, 0 and the hash gets

RE: [cryptography] Re: Why the exponent 3 error happened:

2006-09-20 Thread Kuehn, Ulrich
From: Ralf-Philipp Weinmann [mailto:[EMAIL PROTECTED] [...] Unfortunately we only found out that there has been prior art by Yutaka Oiwa et al. *AFTER* we successfully forged a certificate using this method (we being Andrei Pyshkin, Erik Tews and myself). The certificate we forged

RE: Exponent 3 damage spreads...

2006-09-21 Thread Kuehn, Ulrich
Peter, From: Peter Gutmann [mailto:[EMAIL PROTECTED] David Wagner [EMAIL PROTECTED] writes: (a) Any implementation that doesn't check whether there is extra junk left over after the hash digest isn't implementing the PKCS#1.5 standard correctly. That's a bug in the implementation.

RE: Exponent 3 damage spreads...

2006-09-21 Thread Kuehn, Ulrich
Peter, From: Peter Gutmann [mailto:[EMAIL PROTECTED] Kuehn, Ulrich [EMAIL PROTECTED] writes: But the PKCS#1 spec talks about building up the complete padded signature input at the verifier, and then comparing it. Uhh, did you actually read the rest of my post? *One variant

RE: Exponent 3 damage spreads...

2006-09-28 Thread Kuehn, Ulrich
From: Ralf-Philipp Weinmann [...] Relevant files to this problem that were patched turned out to be security/nss/lib/cryptohi/secvfy.c and nss/lib/util/secdig.c. Have a look at the function DecryptSigBlock() in secdig.c, lines 92-95 /* make sure the parameters are not too

RE: TPM disk crypto

2006-10-09 Thread Kuehn, Ulrich
From: Erik Tews [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 5. Oktober 2006 23:52 [...] Later, you can remotely query your system and get a report what has been bootet on your system. You can do this query using a java application and tpm4java. However, this is the big problem

RE: TPM disk crypto

2006-10-12 Thread Kuehn, Ulrich
From: James A. Donald [mailto:[EMAIL PROTECTED] Sent: Dienstag, 10. Oktober 2006 06:40 What we want is that a bank client can prove to the bank it is the real client, and not trojaned. What the evil guys at RIAA want is that their music player can prove it is their real music player,

RE: TPM disk crypto

2006-10-13 Thread Kuehn, Ulrich
From: Ivan Krstić [mailto:[EMAIL PROTECTED] Kuehn, Ulrich wrote: Who is we? In the case of my own system I payed for (so speaking for myself) I would like to have such a mechanism to have the system prove to me before login that it is not tampered with. The TCG approach does

RE: Why the exponent 3 error happened:

2006-11-10 Thread Kuehn, Ulrich
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sonntag, 17. September 2006 06:01 For another example of just how badly this kind of thing can be done, look at this code excerpt from Firefox version 1.5.0.7, which is the fixed version. There are two PKCS-1 parsing