Re: Session Key Negotiation

2005-12-02 Thread Richard Salz
I am designing a transport-layer encryption protocol, and obviously wish to use as much existing knowledge as possible, in particular TLS, which AFAICT seems to be the state of the art. In general, it's probably a good idea to look at existing mechanisms and analyze why they're not

Chinese WAPI protocol?

2006-06-12 Thread Richard Salz
Today in slashdot ( there was an article about China wanting to get WAPI accepted as a new wireless security standard. Has anyone looked at it? /r$ -- SOA Appliances Application Integration Middleware

Re: Why the exponent 3 error happened:

2006-09-15 Thread Richard Salz
From : When designing computer systems, one is often faced with a choice between using a more or less powerful language for publishing information, for expressing constraints, or for solving some problem. This finding explores tradeoffs relating

Re: A note on vendor reaction speed to the e=3 problem

2006-09-28 Thread Richard Salz
From a security point of view, shar has obvious problems :-) Really, what? There are things it doesn't do, but since it's only a packaging format that's a good thing. /r$ -- STSM, Senior Security Architect SOA Appliances Application Integration Middleware

Re: crypto maxims

2007-05-26 Thread Richard Salz
I have posted my ideas on defensive use of crypto here: This is not about cipher design, it's more about protocol design and implementation. And the very first thing that happened is my browser complained about the SSL

Re: Why self describing data formats:

2007-06-21 Thread Richard Salz
Many protocols use some form of self describing data format, for example ASN.1, XML, S expressions, and bencoding. I'm not sure what you're getting at. All XML and S expressions really get you is that you know how to skip past something you don't understand. This is also true for many (XER,

Re: Question on export issues

2007-12-30 Thread Richard Salz
In my personal experience, if you are developing a mass-market item with conventional crypto (e.g., SSL, S/MIME, etc ) then it is fairly routine to get a commodity export license which lets you sell globally. Disclaimers abound, including that I'm not a lawyer and certainly don't speak for

Re: Question on export issues

2008-01-03 Thread Richard Salz
Is there some technology that they are so afraid of that they still won't let it ship or does it just matter who you are, not what it is? I wouldn't know for sure, but I am sure that who is asking permission does matter. /r$, sounding like his idol dan :) -- STSM, DataPower Chief

Re: Dutch Transport Card Broken

2008-01-30 Thread Richard Salz
SSL is layered on top of TCP, and then one layers one's actual protocol on top of SSL, with the result that a transaction involves a painfully large number of round trips. Perhaps theoretically painful, but in practice this is not the case; commerce on the web is the counter-example. The

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Richard Salz
The wider point of Peter's writeup -- and of the therapy -- is that developers working on security tools should _know_ they're working in a notoriously, infamously hard field where the odds are _overwhelmingly_ against them if they choose to engineer new solutions. Developers working in

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Richard Salz
Thus unlike with bridges, you fundamentally can't evaluate the quality of a security system you built if you're unfamiliar with the state of the art of _attacks_ against security systems, and you can't become familiar with those unless you realize that these attacks have each brought

Re: Why doesn't Sun release the crypto module of the OpenSPARC? Crypto export restrictions

2008-06-12 Thread Richard Salz
I would expect hardware designs to be treated more like hardware than software. /r$ -- STSM, DataPower Chief Programmer WebSphere DataPower SOA Appliances - The

Re: Why doesn't Sun release the crypto module of the OpenSPARC? Crypto export restrictions

2008-06-12 Thread Richard Salz
If only to make sure that there's no confusion about where I stand: I agree with you completely John. I am not surprised that the feds or Sun see it otherwise. /r$ -- STSM, DataPower Chief Programmer WebSphere DataPower SOA Appliances

Re: voting by m of n digital signature?

2008-11-09 Thread Richard Salz
Is there a way of constructing a digital signature so that the signature proves that at least m possessors of secret keys corresponding to n public keys signed, for n a dozen or less, without revealing how many more than m, or which ones signed? Yes there are a number of ways. Usually they

Re: Unattended reboots (was Re: The clouds are not random enough)

2009-08-03 Thread Richard Salz
in order for the application to have access to the keys in the crypto hardware upon an unattended reboot, the PINs to the hardware must be accessible to the application. The cards that I know about work differently -- you configure them to allow unattended reboot, and then no PIN is involved.

Re: Unattended reboots (was Re: The clouds are not random enough)

2009-08-03 Thread Richard Salz
All the HSMs I've worked with start their system daemons automatically; but the applications using them must still authenticate themselves to the HSM before keys can be used. How do the cards you've worked with authenticate the application if no PINs are involved? Sorry, I wasn't clear

Re: US crypto/munitions again?

2009-10-26 Thread Richard Salz Status quo. /r$ -- STSM, WebSphere Appliance Architect - The Cryptography Mailing List Unsubscribe by

Re: Intel to also add RNG

2010-07-12 Thread Richard Salz
Have they forgotten the enormous amount of suspicion last time they tried this? More likely they're expecting everyone else to have forgotten about being suspicious. /r$ -- STSM, WebSphere Appliance Architect

Persisting /dev/random state across reboots

2010-07-29 Thread Richard Salz
At shutdown, a process copies /dev/random to /var/random-seed which is used on reboots. Is this a good, bad, or shrug, whatever idea? I suppose the idea is that all startup procs look the same ? tnx. -- STSM, WebSphere Appliance Architect

Re: Is this the first ever practically-deployed use of a threshold scheme?

2010-08-01 Thread Richard Salz
(In a threshold cryptosystem, the shares would be used in a protocol to perform the desired cryptographic operation [e.g., signing] without ever reconstructing the real secret.) Has real threshold cryptography never been used anywhere? Yes, the root key for the SET consortium was done

Re: towards https everywhere and strict transport security (was: Has there been a change in US banking regulations recently?)

2010-08-25 Thread Richard Salz
Also, note that HSTS is presently specific to HTTP. One could imagine expressing a more generic STS policy for an entire site A really knowledgeable net-head told me the other day that the problem with SSL/TLS is that it has too many round-trips. In fact, the RTT costs are now more

Re: towards https everywhere and strict transport security (was: Has there been a change in US banking regulations recently?)

2010-08-27 Thread Richard Salz
(For what it's worth, I find your style of monocase and ellipses so incredibly difficult to read that I usually delete your postings unread.) as previously mentioned, somewhere back behind everything else ... there is strong financial motivation in the sale of the SSL domain name digital

Re: [Cryptography] Snowden fabricated digital keys to get access to NSA servers?

2013-07-04 Thread Richard Salz
How could it be arranged that if anything happens at all to Edward Snowden, he told me he has arranged for them to get access to the full archives? A lawyer or other (paid) confidant was given instructions that would disclose the key. Do this if something happens to me. It doesn't have to be

[Cryptography] Good private email

2013-08-26 Thread Richard Salz
I don't think you need all that much to get good secure private email. You need a client that can make PEM pretty seamless; reduce it to a button that says encrypt when possible. You need the client to be able to generate a keypair, upload the public half, and pull down (seamlessly) recipient

Re: [Cryptography] Good private email

2013-08-26 Thread Richard Salz
This is everything *but* PRISM-proof I wasn't trying to be PRISM proof, hence my subject line. The client and keyserver could help thwart traffic analysis by returning a few extra keys on each request. The client then sends a structure message to some of those keys that the receiving client

Re: [Cryptography] FIPS, NIST and ITAR questions

2013-09-03 Thread Richard Salz
ITAR doesn't require a license or permit for strong hash functions, but for US persons require(d?) notification of NSA of authorship, contact email and download URL(s), at least in 2006 it did. That strikes me as an overly-conservative reading of the rules, but it's been some time since I

Re: [Cryptography] FIPS, NIST and ITAR questions

2013-09-03 Thread Richard Salz
I still think you are reading it too conservatively. The NSA page defers the actual rules to somewhere else: Certain commercial IA and IA-enabled IT products that contain cryptography and the technical data regarding them are subject to Federal Government export controls Suite B includes