Re: An attack on paypal

2003-06-08 Thread Tim Dierks
At 02:55 PM 6/8/2003, James A. Donald wrote: Attached is a spam mail that constitutes an attack on paypal similar in effect and method to man in the middle. The bottom line is that https just is not working. Its broken. The fact that people keep using shared secrets is a symptom of https not

Re: Fwd: [IP] A Simpler, More Personal Key to Protect Online Messages

2003-07-07 Thread Tim Dierks
A Simpler, More Personal Key to Protect Online Messages By JOHN MARKOFF The New York Times I wrote this for another list I'm on: This system is based on an identity-based cryptography scheme developed by Dan Boneh with Matt Franklin. You can find a link to his paper Identity based encryption

Re: Fwd: [IP] A Simpler, More Personal Key to Protect Online Messages

2003-07-08 Thread Tim Dierks
At 05:30 PM 7/8/2003, Nomen Nescio wrote: One difference is that with the identity-based crypto, once a sender has acquired the software and the CA's public key, he doesn't have to contact the CA to get anyone's certificate. He can encrypt to anyone without having to contact the CA, just based on

Re: Beware of /dev/random on Mac OS X

2003-08-29 Thread Tim Dierks
At 05:01 PM 8/28/2003, Peter Hendrickson wrote: First, the entropy pool in Yarrow is only 160 bits. From Section 6 Open Questions and Plans for the Future of the Yarrow paper referenced above: Yarrow-160, our current construction, is limited to at most 160 bits of security by the size of its

Re: anonymous DH MITM

2003-10-01 Thread Tim Dierks
At 07:06 PM 10/1/2003, M Taylor wrote: Stupid question I'm sure, but does TLS's anonymous DH protect against man-in-the-middle attacks? If so, how? I cannot figure out how it would, and it would seem TLS would be wide open to abuse without MITM protection so I cannot imagine it would be acceptable

Re: anonymous DH MITM

2003-10-01 Thread Tim Dierks
At 10:37 PM 10/1/2003, Peter Gutmann wrote: Tim Dierks [EMAIL PROTECTED] writes: It does not, and most SSL/TLS implementations/installations do not support anonymous DH in order to avoid this attack. Uhh, I think that implementations don't support DH because the de facto standard is RSA

Re: anonymous DH MITM

2003-10-02 Thread Tim Dierks
At 11:50 PM 10/1/2003, Ian Grigg wrote: (AFAIK, self-signed certs in every way dominate ADH in functional terms.) In TLS, AnonDH offers forward secrecy, but there are no RSA certificate modes which do (except for ExportRSA). You can use ephemeral DH key agreement keys with static certified DSA

Re: anonymous DH MITM

2003-10-02 Thread Tim Dierks
At 11:52 AM 10/2/2003, Zooko O'Whielacronx wrote: Bear wrote: You can have anonymous protocols that aren't open be immune to MITM And you can have open protocols that aren't anonymous be immune to MITM. But you can't have both. I'd like to see the proof. I think it depends on what you mean

Re: anonymous DH MITM

2003-10-03 Thread Tim Dierks
At 02:16 PM 10/3/2003, Jerrold Leichter wrote: From: Anton Stiglic [EMAIL PROTECTED] | From: Tim Dierks [EMAIL PROTECTED] | I think it's a tautology: there's no such thing as MITM if there's no such | thing as identity. You're talking to the person you're talking to, and | that's all you know

Re: anonymous DH MITM

2003-10-04 Thread Tim Dierks
I'm lost in a twisty page of MITM passages, all alike. My point was that in an anonymous protocol, for Alice to communicate with Mallet is equivalent to communicating with Bob, since the protocol is anonymous: there is no distinction. All the concept of MITM is intended to convey is that in an

Re: WYTM?

2003-10-13 Thread Tim Dierks
At 12:28 AM 10/13/2003, Ian Grigg wrote: Problem is, it's also wrong. The end systems are not secure, and the comms in the middle is actually remarkably safe. I think this is an interesting, insightful analysis, but I also think it's drawing a stronger contrast between the real world and the

Clipper for luggage

2003-11-13 Thread Tim Dierks
From the New York Times. Any guesses on how long it'll take before your local hacker will have a key which will open any piece of your luggage? - Tim A Baggage Lock for You and the Federal Screeners By JOE SHARKEY Published: November 11, 2003 AIRLINE passengers will be able to lock checked

Re: XML-proof UIDs

2003-11-16 Thread Tim Dierks
At 05:52 AM 11/14/2003, Eugen Leitl wrote: Does anyone have robust code to generate globally unique IDs which won't break XML parsing, and work on several platforms? I was thinking of using an entropy pool to seed a cryptographic PRNG, used to generate a sequence of SHA-1 hashes, dumped to an

Re: MD5 collisions?

2004-08-18 Thread Tim Dierks
On Thu, 19 Aug 2004 00:49:17 +1000, Greg Rose [EMAIL PROTECTED] wrote: It seems to be a straightforward differential cryptanalysis attack, so one wonders why no-one else came up with it. With further hindsight, and Phil Hawkes' help, I understand now. The technique needs to alternate

Number of rounds needed for perfect Feistel?

2005-08-12 Thread Tim Dierks
I'm attempting to design a block cipher with an odd block size (34 bits). I'm planning to use a balanced Feistel structure with AES as the function f(), padding the 17-bit input blocks to 128 bits with a pad dependent on the round number, encrypting with a key, and extracting the low 17 bits as

Re: Number of rounds needed for perfect Feistel?

2005-08-12 Thread Tim Dierks
Barney Wolff wrote: On Fri, Aug 12, 2005 at 11:47:26AM -0400, Tim Dierks wrote: I'm attempting to design a block cipher with an odd block size (34 bits). I'm planning to use a balanced Feistel structure with AES as the function f(), padding the 17-bit input blocks to 128 bits with a pad

Re: Another entry in the internet security hall of shame....

2005-08-24 Thread Tim Dierks
[resending due to e-mail address / cryptography list membership issue] On 8/24/05, Ian G [EMAIL PROTECTED] wrote: Once you've configured iChat to connect to the Google Talk service, you may receive a warning message that states your username and password will be transferred insecurely. This

Re: Exponent 3 damage spreads...

2006-09-14 Thread Tim Dierks
On 9/14/06, James A. Donald [EMAIL PROTECTED] wrote: It seems to me that the evil here is ASN.1, or perhaps standards that use ASN.1 carelessly and badly. It is difficult to write code that conforms to ASN.1, easy to get it wrong, and difficult to say what in fact constitutes conforming to

Open-source PAL

2007-11-30 Thread Tim Dierks
A random thought that's been kicking around in my head: if someone were looking for a project, an open-source permissive action link ( http://www.cs.columbia.edu/~smb/nsam-160/pal.html is a good link, thank you Mr. Bellovin) seems like it might be a great public resource: I suspect it's something

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

2008-01-31 Thread Tim Dierks
On Jan 30, 2008 9:04 PM, Philipp Gühring [EMAIL PROTECTED] wrote: Hi, Huh? What are you claiming the problem with sending client certificates in plaintext is * It´s a privacy problem * It´s a security problem for people with a security policy that requires the their identities to be

Re: OpenID/Debian PRNG/DNS Cache poisoning advisory

2008-08-08 Thread Tim Dierks
[Sorry for duplicates, but I got multiple requests for a non-HTML version, and I didn't want to fork the thread. Also sorry for initially sending HTML; I didn't realize it was so abhorrent these days. ] On Fri, Aug 8, 2008 at 1:43 PM, Dan Kaminsky [EMAIL PROTECTED] wrote: It's easy to compute

Re: [Cryptography] Today's XKCD is on password strength.

2011-08-10 Thread Tim Dierks
On Wed, Aug 10, 2011 at 10:12 AM, Perry E. Metzger pe...@piermont.comwrote: Today's XKCD is on password strength. The advice it gives is pretty good in principle... http://xkcd.com/936/ FWIW, http://tim.dierks.org/2007/03/secure-in-browser-javascript-password.html - Tim

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-05 Thread Tim Dierks
On Thu, Sep 5, 2013 at 4:57 PM, Perry E. Metzger pe...@piermont.com wrote: On Thu, 5 Sep 2013 16:53:15 -0400 Perry E. Metzger pe...@piermont.com wrote: Anyone recognize the standard? Please say it aloud. (I personally don't recognize the standard offhand, but my memory is poor that

Re: [Cryptography] Opening Discussion: Speculation on BULLRUN

2013-09-06 Thread Tim Dierks
On Fri, Sep 6, 2013 at 3:03 AM, Kristian Gjøsteen kristian.gjost...@math.ntnu.no wrote: Has anyone, anywhere ever seen someone use Dual-EC-DRBG? I mean, who on earth would be daft enough to use the slowest possible DRBG? If this is the best NSA can do, they are over-hyped. It's

Re: [Cryptography] About those fingerprints ...

2013-09-11 Thread Tim Dierks
On Wed, Sep 11, 2013 at 1:13 PM, Jerry Leichter leich...@lrw.com wrote: On Sep 11, 2013, at 9:16 AM, Andrew W. Donoho a...@ddg.com wrote: Yesterday, Apple made the bold, unaudited claim that it will never save the fingerprint data outside of the A7 chip. By announcing it publicly, they put