Re: [cryptography] NSA's position in the dominance stakes

2010-11-18 Thread Adam Back
So a serious question: is there a software company friendly jurisdiction? (Where software and algorithm patents do not exist under law?) If patent trolls can patent all sorts of wheels and abuse the US and other jurisdictions flawed patent system, maybe one can gain business advantage by

Re: [cryptography] NSA's position in the dominance stakes

2010-11-19 Thread Adam Back
. Adam On Thu, Nov 18, 2010 at 08:43:44PM -0500, Steven Bellovin wrote: On Nov 18, 2010, at 5:21 16PM, Adam Back wrote: So a serious question: is there a software company friendly jurisdiction? (Where software and algorithm patents do not exist under law?) It won't help, if you want to sell

Re: [cryptography] patents and stuff (Re: NSA's position in the dominance stakes)

2010-11-21 Thread Adam Back
Hi James I think, a bit of ranting aside, what people dislike is that software patents are a net lose to the economy, software progress and meritocracy. The patent mine-field isnt good for the industry nor society as a whole as it adds economic friction, uncertainty and therefore holds back

Re: [cryptography] current digital cash / anonymous payment projects?

2010-12-01 Thread Adam Back
For the technology, to play with it I have Brands and Chaum credentials implemented in this library: http://cypherspace.org/credlib/ It was an experiment in simplifying the APIs so I think its rather simple to use. Using credentials as an ecash coin is a simple use-case. For Chaum you

[cryptography] RSA admits securID tokens have been compromised

2011-06-07 Thread Adam Back
http://www.net-security.org/secworld.php?id=11122 RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens. I guess everyone was suspecting as much reading between the lines of what was said so far,

Re: [cryptography] attacks against bitcoin

2011-06-12 Thread Adam Back
I was thinking a DoS might be a problem. If you could prevent the p2p network broadcasting or receiving broadcasts, maybe you could be the only person able to proceed with minting. If you could keep that up for a while you could reduce the difficulty and create bitcoins with lower cost. A full

Re: [cryptography] Digital cash in the news...

2011-06-13 Thread Adam Back
Bitcoin is not a pyramid scheme, and doesnt have to have the collapse and late joiner losers. If bitcoin does not lose favor - ie the user base grows and then maintains size of user base in the long term, then no one loses. I think in the current phase the deflation (currency increasing in

Re: [cryptography] Digital cash in the news...

2011-06-13 Thread Adam Back
to saturation, the remaining deflation would be limited by the underlying population and economic growth. That might be workable rate of deflation. Adam On Mon, Jun 13, 2011 at 11:55:38PM +1000, Ian G wrote: On 13/06/11 5:54 PM, Adam Back wrote: Bitcoin is not a pyramid scheme, and doesnt have

Re: [cryptography] sander ta-shma + bitcoin, b-money, hashcash (Re: Is BitCoin a triple entry system?)

2011-06-15 Thread Adam Back
On Tue, Jun 14, 2011 at 07:40:10PM +1000, James A. Donald wrote: It is not a design, but an idea for a design. There is no efficient zero knowledge proof that has the required properties. On 2011-06-14 6:13 PM, Adam Back wrote: [...] They use Merkle trees to improve the computation efficiency

[cryptography] not unsubscribing (Re: Unsubscribing)

2011-06-16 Thread Adam Back
Trust me the noise level on here is zero compared to usenet news flame fests, spam, DoS etc. The maintainer is removing spam for one (I think). Personally I find it kind of annoying when people want to squelch any interesting discussion about societal implications as that is part of what is

Re: [cryptography] Bitcoin observation

2011-07-05 Thread Adam Back
I dont think you can prove you have destroyed a bitcoin, neither your own bitcoin, nor someone else's. To destroy it you would have to prove you deleted the coin private key, and you could always have an offline backup. You could uncreate a coin by creating a chain removing it from existance,

Re: [cryptography] Bitcoin observation

2011-07-08 Thread Adam Back
I thought I already said this in another message, but perhaps it didnt get to the list. Apart from the fact that they have some kind of script which trivially allows you to set the conditions of validity to something impossible to satisfy eg 0 = 1 that Seth Schoen described; the key in the

[cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

2011-07-13 Thread Adam Back
You know this is why you should use ssh-keys and disable password authentication. First thing I do when someone gives me an ssh account. ssh-keys is the EKE(*) equivalent for ssh. EKE for web login is decades overdue and if implemented and deployed properly in the browser and server could

[cryptography] ECDSA - patent free?

2011-11-09 Thread Adam Back
Anyone have informed opinions on whether ECDSA is patent free? Any suggestions on EC capable crypto library that implements things without tripping over any certicom claimed optimizations? (Someone pointed out to me recently that the redhat shipped openSSL is devoid of ECC which is kind of a

Re: [cryptography] trustable self-signed certs in a P2P environment (freedombox)

2011-11-30 Thread Adam Back
Its rather common for people with load balancers and lots of servers serving the same domain to have multiple certs. Same for certs to change to a new CA before expiry. (Probably switched to a new CA when adding more servers to the load balanced web server farm). I installed cert patrol and

[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

2011-11-30 Thread Adam Back
Are there really any CAs which issue sub-CA for deep packet inspection aka doing MitM and issue certs on the fly for everything going through them: gmail, hotmail, online banking etc. I saw Ondrej Mikle also mentions this concept in his referenced link from recent post:

Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

2011-12-01 Thread Adam Back
It does at least say they need a certificate practice statement, and hardware key generation and storage, AND All domains must be owned by the enterprise customer. They can sell the ability to be a sub-CA if they want to. There standards seem probably as good as your average CA and precludes

Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

2011-12-02 Thread Adam Back
Well I was aware of RA things where you do your own RA and on the CA side they limit you to issuing certs belonging to you, if I recall thawte was selling those. (They pre-vet your ownership of some domains foocorp.com, foocorpinc.com etc, and then you can issue www.foocorp.com, *.foocorp.com ..

[cryptography] if MitM via sub-CA is going on, need a name-and-shame catalog (Re: really sub-CAs for MitM deep packet inspectors?)

2011-12-02 Thread Adam Back
of privacy in work places (and obviously public places). More below: On Fri, Dec 02, 2011 at 11:02:14PM +1300, Peter Gutmann wrote: Adam Back a...@cypherspace.org writes: Start of the thread was that Greg and maybe others claim they've seen a cert in the wild doing MitM on domains the definitionally

Re: [cryptography] if MitM via sub-CA is going on, need a name-and-shame catalog (Re: really sub-CAs for MitM deep packet inspectors?)

2011-12-02 Thread Adam Back
On Sat, Dec 03, 2011 at 01:00:14AM +1300, Peter Gutmann wrote: I was asked not to reveal details and I won't, Of course, I would do the same if so asked. But there are lots of people on the list who have not obtained information indirectly, with confidentiality assurances offered, and for

Re: [cryptography] if MitM via sub-CA is going on, need a name-and-shame catalog (Re: really sub-CAs for MitM deep packet inspectors?)

2011-12-02 Thread Adam Back
I wonder what that even means. *.com issued by a sub-CA? that private key is a massive risk if so! I wonder if a *.com is even valid according to browsers. Or * that would be funny. Adam On Sat, Dec 03, 2011 at 02:24:53AM +1300, Peter Gutmann wrote: Adam Back a...@cypherspace.org writes

[cryptography] so can we find a public MitM cert sample? (Re: really sub-CAs for MitM deep packet inspectors?)

2011-12-05 Thread Adam Back
I have to say I have my doubts that either Boingo or Sheraton hotels, or other providers would be doing MitM for advertising/profiling or whatever reasons to their respective wifi services. Absent certs showing this, its a significantly controversial claim, and there are many many reasons you

Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

2011-12-06 Thread Adam Back
authorize you or CAs to subverting the SSL guarantee and other people's security. Even people who have internal CAs for certification SHOULD NOT be abusing them for MitM. Adam On Tue, Dec 06, 2011 at 10:52:43AM +, Florian Weimer wrote: * Adam Back: Are there really any CAs which issue sub-CA

Re: [cryptography] Another CA hacked, it seems.

2011-12-08 Thread Adam Back
Did they successfully hack the CA functionality or just a web site housing network design documents for various dutch government entities? From what survives google translate of the original dutch it appears to be the latter no? And if Kerckhoff's principle was followed what does it matter if

Re: [cryptography] airgaps in CAs

2011-12-09 Thread Adam Back
Hi Arshad Do the air gapped private PKI root certs (and if applicable their non-airgapped sub-CA certs they authorize) have the critical name constraint extension eg .foocorp.com meaning it is only valid for creating certs for *.foocorp.com? (I am presuming these private PKI certs are sub-CA

Re: [cryptography] airgaps in CAs

2011-12-13 Thread Adam Back
the new cert? Adam On Mon, Dec 12, 2011 at 06:21:41PM -0800, Arshad Noor wrote: On 12/9/2011 12:27 AM, Adam Back wrote: Do the air gapped private PKI root certs (and if applicable their non-airgapped sub-CA certs they authorize) have the critical name constraint extension eg .foocorp.com meaning

Re: [cryptography] How are expired code-signing certs revoked? (nonrepudiation)

2011-12-22 Thread Adam Back
Stefan Brands credentials [1] have an anti-lending feature where you have to know all of the private components in order to make a signature with it. My proposal related to what you said was to put a high value ecash coin as one of the private components. Now they have a direct financial

[cryptography] implementation of NIST SP-108 KDFs?

2011-12-28 Thread Adam Back
As there are no NIST KAT / test vectors for the KDF defined in NIST SP 108, I wonder if anyone is aware of any open source implementations of them to use for cross testing? Adam ___ cryptography mailing list cryptography@randombit.net

Re: [cryptography] Password non-similarity?

2012-01-02 Thread Adam Back
On 2 January 2012 03:01, ianG i...@iang.org wrote: When I was a rough raw teenager doing this, I needed around 2 weeks to pick up 5 letters from someone typing like he was electrified.  The other 3 were crunched in 4 hours on a vax780. how many samples? (distinct shoulder surf events)

Re: [cryptography] reports of T-Mobile actively blocking crypto

2012-01-11 Thread Adam Back
You know I also noticed mail sending problems when I was in the UK a month or two ago. I am transit via heathrow right now, and now I have no problem. This is pay as you go t-mobile. So maybe they saw the PR problem brewing and stopped whatever they were doing. One gotcha (though I am sure

Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

2012-02-14 Thread Adam Back
Well I am not sure how they can hope to go very far underground. Any and all users on their internal network could easily detect and anonymously report the mitm cert for some public web site with out any significant risk of it being tracked back to them. Game over. So removal of one CA from a

Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

2012-02-14 Thread Adam Back
My point is this - say you are the CEO of a CA. Do you want to bet your entire company on no one ever detecting nor reporting the MITM sub-CA that you issued? I wouldnt do it. All it takes is one savy or curious guy in a 10,000 person company. Consequently if there are any other CAs that have

Re: [cryptography] Duplicate primes in lots of RSA moduli

2012-02-17 Thread Adam Back
Further the fact that the entropy seeding is so bad that some implementations are generating literally the same p value (but seemingly different q values) I would think you could view the fact that this can be detected and efficiently exploited via batch GCD as an indication of an even bigger

Re: [cryptography] Duplicate primes in lots of RSA moduli

2012-02-18 Thread Adam Back
can it be etc. There's a psychological theory of why this kind of thing happens in general - the Dunning-Kruger effect. But maybe 1 happened. Adam [1] http://en.wikipedia.org/wiki/Dunning–Kruger_effect On 18 February 2012 07:57, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Adam Back

Re: [cryptography] Duplicate primes in lots of RSA moduli

2012-02-18 Thread Adam Back
plausible for this case... the effect would be rather like observed. Adam On 18 February 2012 10:40, Adam Back a...@cypherspace.org wrote: I also was pondering as to how the implementers could have arrived at this situation towards evaluating Stephen Farrell's draft idea to have a service

Re: [cryptography] Duplicate primes in lots of RSA moduli

2012-03-05 Thread Adam Back
Further the fact that the entropy seeding is so bad that some implementations are generating literally the same p value (but seemingly different q values) I would think you could view the fact that this can be detected and efficiently exploited via batch GCD as an indication of an even bigger

Re: [cryptography] The NSA Is Building the Country's Biggest Spy Center (Watch What You Say)

2012-03-23 Thread Adam Back
You know PFS while a good idea, and IMNSO all non-PFS ciphersuites should be deprecated etc, PFS just ensures the communicating parties delete the key negotiation emphemeral private keys after use. Which does nothing intrinsic to prevent massive computation powered 1024 discrete log on stored

Re: [cryptography] Key escrow 2012

2012-03-30 Thread Adam Back
As I recall people were calling the PGP ADK feature corporate access to keys, which the worry was, was only policy + config away from government access to keys. I guess the sentiment still stands, and with some justification, people are still worried about law enforcement access mechanisms for

Re: [cryptography] PINS and [Short] Passwords

2012-04-04 Thread Adam Back
Surely one cant think of the limitations (requirement for cooperation from the OS to test the PIN) as if they are cryptographic limitations... Apple probably supplies such a service themself to law enforcement as a private apple approved ready-to-go app. Adam On Wed, Apr 04, 2012 at 03:45:09PM

Re: [cryptography] PINS and [Short] Passwords

2012-04-06 Thread Adam Back
The bit tying in to my comment a few days ago is they note that apple wont confirm but no doubt does provide a signed private app that takes the encrypted key material off the device for brute forcing. And an app for dumping all data off the device if thats also not possible without jail

[cryptography] SHA1 extension limitations (Re: Doubts over necessity of SHA-3 cryptography standard)

2012-04-10 Thread Adam Back
Well the length extension is not fully flexible. ie you get SHA1( msg ) which translates into msg-blocks || pad msg-length which is then fed to SHA1-transform, and the IV is some magic values. So the length extension is if you start with a hash that presumably you dont know all the msg-blocks.

Re: [cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning? (was: “On the limits of the use cases for authenticated encryption”)

2012-04-26 Thread Adam Back
I think the separate integrity tag is more general, flexible and more secure where the flexibility is needed. Tahoe has more complex requirements and hence needds to make use of a separate integrity tag. I guess in general it is going to be more general, flexible if there are separate keys

Re: [cryptography] Bitcoin-mining Botnets observed in the wild? (was: Re: Bitcoin in endgame

2012-05-11 Thread Adam Back
Strikes me 12TH/sec is not actually very much computation? http://bitcoinwatch.com/ also gives network hashrate at 12.4 TH/sec. But a single normally clocked (925Mhz) AMD 7970 based graphics card which has 2048 cores is claimed to provide 555MH/sec.

Re: [cryptography] Master Password

2012-05-31 Thread Adam Back
Reminds me of Feb 2003 - Moderately Hard, Memory-bound Functions NDSS 03, Martin Abadi, Mike Burrows, Mark Manasse, and Ted Wobber. (cached at) http://hashcash.org/papers/memory-bound-ndss.pdf By microsoft research, but then when exchange and oulook added a computational cost function, for

Re: [cryptography] Can there be a cryptographic dead man switch?

2012-09-06 Thread Adam Back
And make sure there are multiple internet connections to the hidden servers. Adam On Thu, Sep 06, 2012 at 03:40:23AM +0100, StealthMonger wrote: Good argument. Thanks. It makes Natanael's solution, or some variant of it, all the more appealing. Keep Natanael's servers secret, such as on

Re: [cryptography] Questions about crypto in Oracle TDE

2012-11-08 Thread Adam Back
I'd guess they mean salt is pre-pended to the plaintext and then presume eg then salt + plaintext encrypted with AES in CBC mode with a zero IV. That would be approximately equivalent to encrypting with a random IV (presuming the salt, IV and cipher block are all the same size) because CBC-Enc(

Re: [cryptography] Why using asymmetric crypto like symmetric crypto isn't secure

2012-11-11 Thread Adam Back
(I copied Hans-Joachim Knobloch onto the thread) Weiner is talking about small secret exponents (small d), no one does that. They choose smallish prime e, with low hamming weight (for encryption/signature verification efficiency) like 65537 (10001h) and get a random d, which will by definition

[cryptography] current limits of proving MITM (Re: Gmail and SSL)

2012-12-16 Thread Adam Back
(note the tidy email editing, Ben, and other blind top posters to massive email threads :) See inlne. On Sun, Dec 16, 2012 at 10:52:37AM +0300, ianG wrote: [...] we want to prove that a certificate found in an MITM was in the chain or not. But (4) we already have that, in a non-cryptographic

Re: [cryptography] ElGamal Encryption and Signature: Key Generation Requirements?

2012-12-17 Thread Adam Back
Those are Lim-Lee primes where p=2n+1 where a B-smooth composite (meaning n = p0*p1*...*pk where each p0 is f size B bits. http://www.gnupg.org/documentation/manuals/gcrypt/Prime_002dNumber_002dGenerator-Subsystem-Architecture.html So if Crypto++ is testing if the q from p=2q+1 is prime, its

Re: [cryptography] ElGamal Encryption and Signature: Key Generation Requirements?

2012-12-18 Thread Adam Back
, 2012 at 01:15:05AM +0100, Adam Back wrote: Those are Lim-Lee primes where p=2n+1 where a B-smooth composite (meaning n = p0*p1*...*pk where each p0 is f size B bits. http://www.gnupg.org/documentation/manuals/gcrypt/Prime_002dNumber_002dGenerator-Subsystem-Architecture.html So if Crypto

Re: [cryptography] ElGamal Encryption and Signature: Key Generation Requirements?

2012-12-18 Thread Adam Back
Well one reason people like Lim-Lee primes is its much faster to generate them. That is because of prime density being lower for strong primes, at the sizes of p q for p=2q+1 and you need to screen both p q for primeness. With Lim-Lee as you maybe saw in the paper you just generate a few

Re: [cryptography] ElGamal Encryption and Signature: Key Generation Requirements?

2012-12-19 Thread Adam Back
, 2012 at 8:29 PM, Adam Back a...@cypherspace.org wrote: Well one reason people like Lim-Lee primes is its much faster to generate them. That is because of prime density being lower for strong primes, at the sizes of p q for p=2q+1 and you need to screen both p q for primeness. With Lim-Lee

[cryptography] fragilities of CTR vs CBC (Re: Tigerspike claims world first with Karacell for mobile security)

2012-12-27 Thread Adam Back
I think you could say CTR mode is fragile against counter reuse exposing plaintext pair XORs, but CBC is also somewhat fragile against IV reuse, forming an ECB code book around the set of same IV messages. CBC itself has other issues eg using non-repeating (but non-random) IVs, for example using

Re: [cryptography] yet another certificate MITM attack

2013-01-11 Thread Adam Back
For http there is a mechanism for cache security as this is an issue that does come up (you do not want to cache security information or responses with security information in them, eg cookies or information related to one user and then have the proxy cache accidentally send that to a different

Re: [cryptography] Bonding or Insuring of CAs?

2013-01-25 Thread Adam Back
I had the impression this list and its predecssor moderated (too heavily IMO) by Perry were primarily about applied crypto. So you get to tolerate a bit of applied crypto security stuff if you're interested in crypto theory and vice versa. Seems healthy to me (cross informs both camps). In

[cryptography] blinding to protect against timing-attacks on RSA sigs (Re: OAEP for RSA signatures?)

2013-01-27 Thread Adam Back
The RSA private key timing attack is much more likely than on padding because the cost is so much higher. Bleichenbacher like adaptive attacks are not so much timing as error code attacks (app is too chatty about whether padding was well formed afte decryption), so thats a separate issue. For

Re: [cryptography] openssl on git

2013-01-28 Thread Adam Back
You know other source control systems, and presumably git also, have an excludes list which can contain wildcards. It comes prepopulated with eg *.o - as you probably dont want to check them in. I think you could classify this as a git bug (or more probably a mistake in how github are

[cryptography] ZKPs and other stuff at Zero Knowledge Systems (Re: Zero knowledge as a term for end-to-end encryption)

2013-02-13 Thread Adam Back
I dont think its too bad, its fairly intuitive and related english meaning also. At zero-knowlege we had a precedent of the same use: we used it as an intentional pun that we had zero-knowledge about our customers, and in actuality in one of the later versions we actually had a ZKP (to do with

Re: [cryptography] Bitmessage

2013-02-16 Thread Adam Back
With no criticism to the idea and motivation there are similarities with having a reply-to of a newsgroup such as alt.anonymous.messages, which is used as a more secure alternative to reply blocks. To pickup those messages anonymously you'd ideally need to be able to unobservably download

Re: [cryptography] Bitmessage

2013-02-20 Thread Adam Back
Seems to me neither of you read the reference I gave: I (Adam) wrote: It is tricky to get forward secrecy for store-and-forard messaging [2], but perhaps you could incorporate rekeying into your protocol in some convenient way. ... [2] http://cypherspace.org/adam/nifs/ Not impossible just

Re: [cryptography] Interesting Webcrypto question

2013-03-03 Thread Adam Back
The realism of export restricting open source software is utterly ludicrous. Any self-declaration click-through someone might implement can be clicked through by anyone, from anywhere, and I presume someone from an embargoed country is more worried about their own countries laws than US laws, to

[cryptography] msft skype IM snooping stats PGP/X509 in IM?? (Re: why did OTR succeed in IM?)

2013-03-23 Thread Adam Back
Was there anyone trying to use OpenPGP and/or X.509 in IM? I mean I know many IM protocols support SSL which itself uses X.509, but that doesnt really meaningfully encrypt the messages in a privacy sense as they flow in the plaintext through chat server with that model. btw is anyone noticing

Re: [cryptography] msft skype IM snooping stats PGP/X509 in IM?? (Re: why did OTR succeed in IM?)

2013-03-24 Thread Adam Back
Ian wrote: Are we saying then that the threat on the servers has proven so small that in practice nobody's bothered to push a persistent key mechanism? Or have I got this wrong, and the clients are doing p2p exchange of their ephemeral keys, thus dispersing the risk? Its been a while since I

Re: [cryptography] Cypherpunks mailing list

2013-03-25 Thread Adam Back
Yeah but that is basically zero traffic, and I suspect in large part because its a silly domain that people who dislike inviting their addition to a watch-list will avoid. Maybe someone with a more neutral domain could try it - or a cypherpunks.* domain if they have a listserv handy. Adam On

Re: [cryptography] Cypherpunks mailing list

2013-03-25 Thread Adam Back
On Mon, Mar 25, 2013 at 05:13:57PM +0100, Moritz wrote: On 25.03.2013 09:25, Adam Back wrote: because its a silly domain that people who dislike inviting their addition to a watch-list will avoid. Isn't exactly that a nice property of a cypherpunks list? No it is not, it is a way

Re: [cryptography] Cypherpunks mailing list

2013-03-25 Thread Adam Back
. But my point actually was b...@al-qaeda.net??? Come on that is watch list bait and an invitation NOT to join list blah, whatever it is about. Adam On Mon, Mar 25, 2013 at 06:18:14PM +0100, Eugen Leitl wrote: On Mon, Mar 25, 2013 at 05:50:18PM +0100, Adam Back wrote: Isn't exactly that a nice

Re: [cryptography] an untraceability extension to Bitcoin using a combination of digital commitments, one-way accumulators and zero-knowledge proofs,

2013-04-13 Thread Adam Back
Also without having read the article, but did read the blog post by one of the authors as Ian G said zerocoin appears to provide payment privacy, and public auditability while retaining distributed setting. However payment publicly auditable payment privacy comes from ZKP of non-set membership

[cryptography] summary of zerocoin (Re: an untraceability extension to Bitcoin using a combination of digital commitments, one-way accumulators and zero-knowledge proofs, )

2013-04-17 Thread Adam Back
It appears to use cut-and-choose technique to create a non-interactive ZKP on a one-way accumulator (from Camenisch Lysanka). That results in relatively big ZKPs which impact bitcoin scalability, it doesnt say how big they actually are but for good security margin I'm guessing something like

[cryptography] bitcoin stats (Re: OT: Skype-Based Malware Forces Computers into Bitcoin Mining)

2013-04-18 Thread Adam Back
vs the other things malware does it also seems like a much more benign payload - uses a bit more electricity! I imagine they throttle it down dynamically when the user actually does things to hide the computer slow down. (Though typically you wont notice with GPU mining unless you are playing

Re: [cryptography] summary of zerocoin (Re: an untraceability extension to Bitcoin using a combination of digital commitments, one-way accumulators and zero-knowledge proofs, )

2013-04-18 Thread Adam Back
+0200, Adam Back wrote: It appears to use cut-and-choose technique to create a non-interactive ZKP on a one-way accumulator (from Camenisch Lysanka). That results in relatively big ZKPs which impact bitcoin scalability, it doesnt say how big they actually are but for good security margin I'm guessing

Re: [cryptography] Regarding Zerocoin and alternative cryptographic accumulators

2013-05-05 Thread Adam Back
This below post didnt elicit any response, but the poster references an interesting though novel (and therefore possibly risky) alternative accumulator without the need for a centrally trusted RSA key generator (which is an anathema to a distributed trust system), or alternatively zero-trust but

Re: [cryptography] Regarding Zerocoin and alternative cryptographic accumulators

2013-05-05 Thread Adam Back
[More address typos, its contagious!, so resending] This below post didnt elicit any response, but the poster references an interesting though novel (and therefore possibly risky) alternative accumulator without the need for a centrally trusted RSA key generator (which is an anathema to a

Re: [cryptography] skype backdoor confirmation

2013-05-18 Thread Adam Back
Actually I think that was the point, as far as anyone knew and from the last published semi-independent review (some years ago on the crypto list as I recall) it indeed was end2end secure. Many IM systems are not end2end so for skype to benefit from the impression that they still are end2end

Re: [cryptography] skype backdoor confirmation

2013-05-22 Thread Adam Back
You know thats the second time you claimed skype was not end2end secure. Did you read the skype independent security review paper that Ian posted a link to? http://download.skype.com/share/security/2005-031%20security%20evaluation.pdf It is cleary and unambiguously claimed that skype WAS end

Re: [cryptography] skype backdoor confirmation

2013-05-22 Thread Adam Back
:30PM +0200, Florian Weimer wrote: * Adam Back: If you want to claim otherwise we're gonna need some evidence. https://login.skype.com/account/password-reset-request This is impossible to implement with any real end-to-end security. ___ cryptography

Re: [cryptography] skype backdoor confirmation

2013-05-22 Thread Adam Back
On 22.05.2013 19:28, Florian Weimer wrote: * Adam Back: If you want to claim otherwise we're gonna need some evidence. https://login.skype.com/account/password-reset-request This is impossible to implement with any real end-to-end security

Re: [cryptography] skype backdoor confirmation

2013-05-24 Thread Adam Back
It seems like there is this new narrative in some peoples minds about all companies backdoor everything and cooperate with law enforcement with no questions asked, what do you expect. I have to disagree strongly with this narrative to combat this narrative displacing reality! I've seen several

Re: [cryptography] Is the NSA now a civilian intelligence agency? (Was: Re: Snowden: Fabricating Digital Keys?)

2013-06-30 Thread Adam Back
Fully agree. I suspect the released figures showing a spike in FBI wire-taps may be cover/laundry and indicative of receiving domestic targetted crime tips from NSA. Another vector: the UK GCHQ have reportedly on their list of authorized spying motivations economic well being. That translates

Re: [cryptography] What project would you finance? [WAS: Potential funding for crypto-related projects]

2013-07-02 Thread Adam Back
I think it time to deprecate non-https (and non-forward secret ciphersuites.) Compute power has moved on, session cacheing works, symmetric crypto is cheap. Btw did anyone get a handle on session resumption - does it provide forward secrecy (via k' = H(k)?). Otherwise I saw concerns a disk

[cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])

2013-07-02 Thread Adam Back
On Tue, Jul 02, 2013 at 11:48:02AM +0100, Ben Laurie wrote: On 2 July 2013 11:25, Adam Back a...@cypherspace.org wrote: does it provide forward secrecy (via k' = H(k)?). Resumed [SSL] sessions do not give forward secrecy. Sessions should be expired regularly, therefore. That seems like

Re: [cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])

2013-07-04 Thread Adam Back
Forward secrecy is exceedingly important security property. Without it an attacker can store encrypted messages via passive eavesdropping, or court order an any infrastructure that records messages (advertised or covert) and then obtain the private key via burglary, subpoena, coercion or

Re: [cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])

2013-07-04 Thread Adam Back
I do not think it is a narrow difference. End point compromise via subpoena, physical seizing, or court mandated disclosure are far different things than pre-emptive storing and later decryption. The scale at which a society will do them, and tolerate doing them given their inherently increased

Re: [cryptography] a Cypherpunks comeback

2013-07-22 Thread Adam Back
Could you please get another domain name, that name is just ridiculous. It might tickle your humour but I guarantee it does not 99% of potential subscribers... Unless your hidden objective is to drive away potential subscribers. Adam On Sun, Jul 21, 2013 at 11:07:26AM +0200, Eugen Leitl

Re: [cryptography] Forward Secrecy Extensions for OpenPGP: Is this still a good proposal?

2013-09-10 Thread Adam Back
You know coincidentally we (the three authors of that paper) were just talking about that very topic in off-list (and PGP encrypted:) email. I remain keen on forward-secrecy, and it does seem to be in fashion again right now. Personally I think we in the open community need to up our game an

[cryptography] motivation, research ethics organizational criminality (Re: Forward Secrecy Extensions for OpenPGP: Is this still a good proposal?)

2013-09-13 Thread Adam Back
I suspect there may be some positive correlation between brilliant minds and consideration of human rights ability to think independently and critically including in the area of uncritical acceptance authoritarian dictates. We're not talking about random grunt - we're talking about gifted end

Re: [cryptography] [Cryptography] prism proof email, namespaces, and anonymity

2013-09-15 Thread Adam Back
On Fri, Sep 13, 2013 at 04:55:05PM -0400, John Kelsey wrote: The more I think about it, the more important it seems that any anonymous email like communications system *not* include people who don't want to be part of it, and have lots of defenses to prevent its anonymous communications from

Re: [cryptography] Asynchronous forward secrecy encryption

2013-09-16 Thread Adam Back
Well aside from the PGP PFS draft that you found (which I am one of the co-authors of) I also had before that in 1998 observed that any IBE system can be used to make a non-interactively forware secret system. http://www.cypherspace.org/adam/nifs/ There were prior IBE systems (with expensive

Re: [cryptography] [Bitcoin-development] REWARD offered for hash collisions for SHA1, SHA256, RIPEMD160 and others

2013-09-16 Thread Adam Back
Mining power policy abuse (deciding which transactions prevail based on compute power advantage for theft reasons, or political reasons, or taint reasons) is what committed coins protect against: https://bitcointalk.org/index.php?topic=206303.0 (Its just a proposal, its not implemented). Adam

Re: [cryptography] Asynchronous forward secrecy encryption

2013-09-18 Thread Adam Back
Thats a good approach but note it does assume your messages are delivered in the same order they are sent (even though they are delivered asynchronously). That is generally the case but does not have to be - neither email nor UDP for example guarantee that. Maybe you would want to include an

Re: [cryptography] Asynchronous forward secrecy encryption

2013-09-20 Thread Adam Back
Depending on what you're using this protocol for you maybe should try to make it so that an attacker cannot tell that two messages are for the same recipient, nor which message comes before another even with access to long term keys of one or both parties after the fact. (Forward-anonymity

Re: [cryptography] Asynchronous forward secrecy encryption

2013-09-20 Thread Adam Back
with disclosure of current keys, in the event of a key compromise anonymity is lost. Adam On Fri, Sep 20, 2013 at 11:19:58AM +0200, Adam Back wrote: Depending on what you're using this protocol for you maybe should try to make it so that an attacker cannot tell that two messages are for the same

Re: [cryptography] Deleting data on a flash?

2013-09-23 Thread Adam Back
While I get wear leveling is a problem, I'm not sure if the flash in a phone is even going to use wear-leveling, but say for the sake of argument it does. It is however not a completely brand-new problem, relatedly spinning disks now and then suffer sector failures, and the failed sectors are

[cryptography] secure deletion on SSDs (Re: Asynchronous forward secrecy encryption)

2013-09-23 Thread Adam Back
(Changing the subject line to reflect topic drift). Thats not bad (make the decryption dependant on accessibility of the entire file) nice as a design idea. But that could be expensive in the sense that any time any block in the file changes, you have to re-encrypt the encryption or, more

[cryptography] secure deletion on SSDs (Re: Asynchronous forward secrecy encryption)

2013-09-23 Thread Adam Back
On Mon, Sep 23, 2013 at 01:39:35PM +0100, Michael Rogers wrote: Apple came within a whisker of solving the problem in iOS by creating an 'effaceable storage' area within the flash storage, which bypasses block remapping and can be deleted securely. However, iOS only uses the effaceable storage

[cryptography] forward-secrecy =2048-bit in legacy browser/servers? (Re: [Cryptography] RSA equivalent key length/strength)

2013-09-25 Thread Adam Back
On Wed, Sep 25, 2013 at 11:59:50PM +1200, Peter Gutmann wrote: Something that can sign a new RSA-2048 sub-certificate is called a CA. For a browser, it'll have to be a trusted CA. What I was asking you to explain is how the browsers are going to deal with over half a billion (source: Netcraft

Re: [cryptography] [Cryptography] TLS2

2013-09-30 Thread Adam Back
On Mon, Sep 30, 2013 at 11:49:49AM +0300, ianG wrote: On 30/09/13 11:02 AM, Adam Back wrote: no ASN.1, and no X.509 [...], encrypt and then MAC only, no non-forward secret ciphersuites, no baked in key length limits [...] support soft-hosting [...] Add TOFO for self-signed keys. Personally

[cryptography] three crypto lists - why and which

2013-09-30 Thread Adam Back
I am not sure if everyone is aware that there is also an unmoderated crypto list, because I see old familiar names posting on the moderated crypto list that I do not see posting on the unmoderated list. The unmoderated list has been running continuously (new posts in every day with no gaps)

[cryptography] PBKDF2 + current GPU or ASIC farms = game over for passwords (Re: TLS2)

2013-09-30 Thread Adam Back
On Mon, Sep 30, 2013 at 02:34:27PM +0100, Wasa wrote: On 30/09/13 10:47, Adam Back wrote: Well clearly passwords are bad and near the end of their life-time with GPU advances, and even amplified password authenticated key exchanges like EKE have a (so far) unavoidable design requirement to have

Re: [cryptography] PBKDF2 + current GPU or ASIC farms = game over for passwords (Re: TLS2)

2013-09-30 Thread Adam Back
On Mon, Sep 30, 2013 at 06:52:47PM +0100, Wasa wrote: Also the PBKDF2 / scrypt happens on the client side - how do you think your ARM powered smart phone will compare to a 9x 4096 core GPU monster. Not well :) How much would it help to delegate PBKDF2 / scrypt to smartphone GPU to break this

Re: [cryptography] PBKDF2 + current GPU or ASIC farms = game over for passwords (Re: TLS2)

2013-09-30 Thread Adam Back
On Mon, Sep 30, 2013 at 07:41:20PM +0100, Wasa wrote: The only attack is on the PBKDF2 stored on the server (or malware to grab the password on the client) right. I was think SRP/JPAKE where the server does not store PBKDF2(salt,pwd) server-side, but rather it stores something like

  1   2   >