Re: [Cryptography] NSA and cryptanalysis

2013-09-06 Thread ianG
On 6/09/13 04:44 AM, Peter Gutmann wrote: John Kelsey crypto@gmail.com writes: If I had to bet, I'd bet on bad rngs as the most likely source of a breakthrough in decrypting lots of encrypted traffic from different sources. If I had to bet, I'd bet on anything but the crypto. Why attack

Re: [Cryptography] NSA and cryptanalysis

2013-09-05 Thread Joachim Strömbergson
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aloha! Jerry Leichter wrote: On Sep 1, 2013, at 2:11 PM, Perry E. Metzger wrote: On Sun, 1 Sep 2013 07:11:06 -0400 Jerry Leichter leich...@lrw.com wrote: Meanwhile, just what evidence do we really have that AES is secure? The fact that the

Re: [Cryptography] NSA and cryptanalysis

2013-09-05 Thread Peter Gutmann
John Kelsey crypto@gmail.com writes: If I had to bet, I'd bet on bad rngs as the most likely source of a breakthrough in decrypting lots of encrypted traffic from different sources. If I had to bet, I'd bet on anything but the crypto. Why attack when you can bypass [1]. Peter. [1] From

Re: [Cryptography] NSA and cryptanalysis

2013-09-03 Thread Phillip Hallam-Baker
On Tue, Sep 3, 2013 at 12:49 AM, Jon Callas j...@callas.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 2, 2013, at 3:06 PM, Jack Lloyd ll...@randombit.net wrote: On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote: a) The very reference you give says that

Re: [Cryptography] NSA and cryptanalysis

2013-09-03 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What is the state of prior art for the P-384? When was it first published? Given that RIM is trying to sell itself right now and the patents are the only asset worth having, I don't have good feelings on this. Well apart from the business

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread James A. Donald
On 2013-09-01 9:11 PM, Jerry Leichter wrote: Meanwhile, on the authentication side, Stuxnet provided evidence that the secret community *does* have capabilities (to conduct a collision attacks) beyond those known to the public - capabilities sufficient to produce fake Windows updates. Do we

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Jerry Leichter
On Sep 1, 2013, at 6:06 PM, Perry E. Metzger wrote: We know what they spec for use by the rest of the US government in Suite B. http://www.nsa.gov/ia/programs/suiteb_cryptography/ AES with 128-bit keys provides adequate protection for classified information up to the SECRET level.

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Perry E. Metzger
On Mon, 2 Sep 2013 00:06:21 -0400 Jerry Leichter leich...@lrw.com wrote: - To let's look at what they want for TOP SECRET. First off, RSA - accepted for a transition period for SECRET, and then only with 2048 bit moduli, which until the last year or so were almost unknown in commercial

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Jerry Leichter
On Sep 1, 2013, at 10:35 PM, James A. Donald wrote: Meanwhile, on the authentication side, Stuxnet provided evidence that the secret community *does* have capabilities (to conduct a collision attacks) beyond those known to the public - capabilities sufficient to produce fake Windows

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Anne Lynn Wheeler
recent post with email discussing PGP-like implementation ... a decade before PGP in financial crypto blog http://www.garlic.com/~lynn/2013i.html#69 and then a little later realizing there were 3-kinds of crypto (when I was told I could make as many boxes as I wanted ... but could only sell to

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Perry E. Metzger
On Mon, 2 Sep 2013 15:09:31 -0400 Jerry Leichter leich...@lrw.com wrote: On Sep 2, 2013, at 1:25 PM, Perry E. Metzger wrote: On Mon, 2 Sep 2013 00:06:21 -0400 Jerry Leichter leich...@lrw.com wrote: - To let's look at what they want for TOP SECRET. First off, RSA - accepted for a

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Jerry Leichter
On Sep 2, 2013, at 1:25 PM, Perry E. Metzger wrote: On Mon, 2 Sep 2013 00:06:21 -0400 Jerry Leichter leich...@lrw.com wrote: - To let's look at what they want for TOP SECRET. First off, RSA - accepted for a transition period for SECRET, and then only with 2048 bit moduli, which until the

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Phillip Hallam-Baker
On Sun, Sep 1, 2013 at 10:35 PM, James A. Donald jam...@echeque.com wrote: On 2013-09-01 9:11 PM, Jerry Leichter wrote: Meanwhile, on the authentication side, Stuxnet provided evidence that the secret community *does* have capabilities (to conduct a collision attacks) beyond those known to

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Perry E. Metzger
On Mon, 2 Sep 2013 14:45:00 -0400 Phillip Hallam-Baker hal...@gmail.com wrote: Do we know they produced fake windows updates without assistance from Microsoft? Given the reaction from Microsoft, yes. The Microsoft public affairs people have been demonstrating real anger at the Flame

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Phillip Hallam-Baker
You know, if there was a completely ironclad legal opinion that made use of ECC possible without the risk of a lawsuit costing over $2 million from Certicom then I would be happy to endorse a switch to ECC like the NSA is pushing for as well. I would not therefore draw the conclusion that NSA

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Christian Huitema
Do we know they produced fake windows updates without assistance from Microsoft? Given the reaction from Microsoft, yes. The Microsoft public affairs people have been demonstrating real anger at the Flame attack in many forums. But of course, sufficiently paranoid people might

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Perry E. Metzger
On Mon, 2 Sep 2013 13:14:00 -0700 Christian Huitema huit...@huitema.net wrote: Do we know they produced fake windows updates without assistance from Microsoft? Given the reaction from Microsoft, yes. The Microsoft public affairs people have been demonstrating real anger at

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Perry E. Metzger
On Mon, 2 Sep 2013 17:44:57 -0400 Jerry Leichter leich...@lrw.com wrote: ...Clearly, as things like bad vendor drivers updates have been sent out using stolen keys in the past, and clearly vendors might simply make mistakes in the future Except that that's not what happened in this

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Jerry Leichter
Do we know they produced fake windows updates without assistance from Microsoft? Given the reaction from Microsoft, yes. The Microsoft public affairs people have been demonstrating real anger at the Flame attack in many forums. ...Clearly, as things like bad vendor drivers updates have

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Jack Lloyd
On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote: a) The very reference you give says that to be equivalent to 128 bits symmetric, you'd need a 3072 bit RSA key - but they require a 2048 bit key. And the same reference says that to be equivalent to 256 bits symmetric, you need

Re: [Cryptography] NSA and cryptanalysis

2013-09-02 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 2, 2013, at 3:06 PM, Jack Lloyd ll...@randombit.net wrote: On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote: a) The very reference you give says that to be equivalent to 128 bits symmetric, you'd need a 3072 bit RSA key -

Re: [Cryptography] NSA and cryptanalysis

2013-09-01 Thread Perry E. Metzger
On Sat, 31 Aug 2013 17:00:01 -0400 John Kelsey crypto@gmail.com wrote: If I had to bet, I'd bet on bad rngs as the most likely source of a breakthrough in decrypting lots of encrypted traffic from different sources. This seems by far the most probable conclusion. Note, for example,

Re: [Cryptography] NSA and cryptanalysis

2013-09-01 Thread Jerry Leichter
On Sep 1, 2013, at 2:36 AM, Peter Gutmann wrote: John Kelsey crypto@gmail.com writes: If I had to bet, I'd bet on bad rngs as the most likely source of a breakthrough in decrypting lots of encrypted traffic from different sources. If I had to bet, I'd bet on anything but the crypto.

Re: [Cryptography] NSA and cryptanalysis

2013-09-01 Thread John Kelsey
What I think we are worried about here are very widespread automated attacks, and they're passive (data is collected and then attacks are run offline). All that constrains what attacks make sense in this context. You need attacks that you can run in a reasonable time, with minimal

Re: [Cryptography] NSA and cryptanalysis

2013-09-01 Thread Perry E. Metzger
On Sun, 1 Sep 2013 07:11:06 -0400 Jerry Leichter leich...@lrw.com wrote: Meanwhile, just what evidence do we really have that AES is secure? The fact that the USG likes using it, too. That's also evidence for eliptic curve techniques btw. Perry -- Perry E. Metzger

Re: [Cryptography] NSA and cryptanalysis

2013-09-01 Thread Jerry Leichter
On Sep 1, 2013, at 2:11 PM, Perry E. Metzger wrote: On Sun, 1 Sep 2013 07:11:06 -0400 Jerry Leichter leich...@lrw.com wrote: Meanwhile, just what evidence do we really have that AES is secure? The fact that the USG likes using it, too. We know they *say in public* that it's acceptable.

Re: [Cryptography] NSA and cryptanalysis

2013-09-01 Thread Perry E. Metzger
On Sun, 1 Sep 2013 16:33:56 -0400 Jerry Leichter leich...@lrw.com wrote: On Sep 1, 2013, at 2:11 PM, Perry E. Metzger wrote: On Sun, 1 Sep 2013 07:11:06 -0400 Jerry Leichter leich...@lrw.com wrote: Meanwhile, just what evidence do we really have that AES is secure? The fact that

Re: [Cryptography] NSA and cryptanalysis

2013-08-31 Thread Aaron Zauner
On Aug 30, 2013, at 1:17 PM, Jerry Leichter leich...@lrw.com wrote: So the latest Snowden data contains hints that the NSA (a) spends a great deal of money on cracking encrypted Internet traffic; (b) recently made some kind of a cryptanalytic breakthrough. What are we to make of this?

Re: [Cryptography] NSA and cryptanalysis

2013-08-31 Thread David I. Emery
On Fri, Aug 30, 2013 at 07:17:08AM -0400, Jerry Leichter wrote: So the latest Snowden data contains hints that the NSA (a) spends a great deal of money on cracking encrypted Internet traffic; (b) recently made some kind of a cryptanalytic breakthrough. What are we to make of this?

Re: [Cryptography] NSA and cryptanalysis

2013-08-31 Thread Ray Dillinger
On 08/30/2013 08:10 PM, Aaron Zauner wrote: I read that WP report too. IMHO this can only be related to RSA (factorization, side-channel attacks). I have been hearing rumors lately that factoring may not in fact be as hard as we have heretofore supposed. Algorithmic advances keep eating

Re: [Cryptography] NSA and cryptanalysis

2013-08-31 Thread ianG
On 31/08/13 06:10 AM, Aaron Zauner wrote: On Aug 30, 2013, at 1:17 PM, Jerry Leichter leich...@lrw.com wrote: So the latest Snowden data contains hints that the NSA (a) spends a great deal of money on cracking encrypted Internet traffic; (b) recently made some kind of a cryptanalytic

Re: [Cryptography] NSA and cryptanalysis

2013-08-31 Thread John Kelsey
If I had to bet, I'd bet on bad rngs as the most likely source of a breakthrough in decrypting lots of encrypted traffic from different sources. --John ___ The cryptography mailing list cryptography@metzdowd.com

Re: [Cryptography] NSA and cryptanalysis

2013-08-31 Thread James A. Donald
On 2013-09-01 4:02 AM, Ray Dillinger wrote: On 08/30/2013 08:10 PM, Aaron Zauner wrote: I read that WP report too. IMHO this can only be related to RSA (factorization, side-channel attacks). I have been hearing rumors lately that factoring may not in fact be as hard as we have heretofore

Re: [Cryptography] NSA and cryptanalysis

2013-08-31 Thread Jerry Leichter
On Aug 31, 2013, at 2:02 PM, Ray Dillinger wrote: ... It is both interesting and peculiar that so little news of quantum computing has been published since. I don't understand this claim. Shor's work opened up a really hot new area that both CS people and physicists (and others as well) have