Re: [cryptography] Point compression prior art?

2011-05-20 Thread Nico Williams
On Fri, May 20, 2011 at 5:40 PM, Paul Crowley p...@ciphergoth.org wrote: On 20/05/11 23:14, Zooko O'Whielacronx wrote: How about the Compact Representation, section 4.2, of RFC 6090: http://www.rfc-editor.org/rfc/rfc6090.txt Is that the same point compression that you were looking for?

Re: [cryptography] rolling hashes, EDC/ECC vs MAC/MIC, etc.

2011-05-20 Thread Nico Williams
On Fri, May 20, 2011 at 4:30 PM, travis+ml-rbcryptogra...@subspacefield.org wrote: Just a quick thought, I noticed the other day that rsync uses a rolling MD4 hash or something like that to detect changes in a window of data. A quick look around should tell you that it uses a rolling checksum

Re: [cryptography] rolling hashes, EDC/ECC vs MAC/MIC, etc.

2011-05-21 Thread Nico Williams
On Sat, May 21, 2011 at 2:53 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: On Fri, May 20, 2011 at 05:18:16PM -0500, Nico Williams wrote: A function with that property isn't a hash function. How do you figure? Well, to be fair, a rolling hash is a hash function, proper. It may well

Re: [cryptography] rolling hashes, EDC/ECC vs MAC/MIC, etc.

2011-05-21 Thread Nico Williams
On Sat, May 21, 2011 at 1:50 PM, Zooko O'Whielacronx zo...@zooko.com wrote: What I would most want is for ZFS (and every other filesystem) to maintain a Merkle Tree over the file data with a good secure hash. Me too. ZFS does do that, but unfortunately the internal Merkel hash maintained this

Re: [cryptography] Preserve us from poorly described/implemented crypto

2011-06-07 Thread Nico Williams
TEMPEST. I'd like keyboards with counter-measures (emanation of noise clicks) or shielding to be on the market, and built-in for laptops. I wonder whether touch-screen smartphones give off any useful RF emanations regarding touches, drags, screen contents. Anyways, I'm getting out of topic...

Re: [cryptography] Preserve us from poorly described/implemented crypto

2011-06-07 Thread Nico Williams
On Tue, Jun 7, 2011 at 2:01 PM, J.A. Terranson me...@mfn.org wrote: On Tue, 7 Jun 2011, Nico Williams wrote: TEMPEST. I'd like keyboards with counter-measures (emanation of noise clicks) or shielding to be on the market, and built-in for laptops. Remember how well the original IBM PC clicky

Re: [cryptography] Current state of brute-forcing random keys?

2011-06-09 Thread Nico Williams
On Thu, Jun 9, 2011 at 7:34 PM, Solar Designer so...@openwall.com wrote: On Thu, Jun 09, 2011 at 05:22:59PM -0500, Nico Williams wrote: And for remote password-based authentication we'll want to start using ZKPPs This doesn't prevent offline password guessing attacks after a (temporary

Re: [cryptography] Current state of brute-forcing random keys?

2011-06-09 Thread Nico Williams
Although even non-augmented ZKPPs should a good KDF because even though the server stores a password equivalent there is still value in protecting the actual password. ___ cryptography mailing list cryptography@randombit.net

Re: [cryptography] Digital cash in the news...

2011-06-11 Thread Nico Williams
On Sat, Jun 11, 2011 at 3:13 PM, John Levine jo...@iecc.com wrote: (Anyone who thinks that a gold standard is better than what we have now, or that the supply of gold is fixed in any but a purely hypothetical sense, is either ignorant of economic history or shilling for gold speculators.) +1.

Re: [cryptography] Digital cash in the news...

2011-06-12 Thread Nico Williams
On Sun, Jun 12, 2011 at 9:44 PM, James A. Donald jam...@echeque.com wrote: On 2011-06-12 8:53 AM, Nico Williams wrote: A fiat currency with no capital controls and reasonably free trade is probably the best currency system yet.  Details do matter though. If operated by far sighted men

Re: [cryptography] Digital cash in the news...

2011-06-12 Thread Nico Williams
On Sun, Jun 12, 2011 at 10:34 PM, Jeffrey Walton noloa...@gmail.com wrote: I think Sparta had it right in this instance: put the public officials on trial when their term is over, and make them accountable for their actions. Its funny how those lessons were lost. Doesn't help. The trials

Re: [cryptography] Digital cash in the news...

2011-06-12 Thread Nico Williams
On Sun, Jun 12, 2011 at 11:28 PM, Jeffrey Walton noloa...@gmail.com wrote: I recall Obama boasting: My Administration is the only thing saving you from the pitchforks of the American people [sic] at a banker's lunch after he took office. On the campaign trail, he received over 1M USD from

Re: [cryptography] Nothing to do with digital cash in the news...

2011-06-12 Thread Nico Williams
On Mon, Jun 13, 2011 at 12:33 AM, John Levine jo...@iecc.com wrote: Sigh.  This is both unrelated to crypto, and just plain factually True, so I'll drop it. wrong (although it is considered gospel in some political circles.) There's much to debate here that doesn't belong on this list. I'll

Re: [cryptography] Digital cash in the news...

2011-06-13 Thread Nico Williams
On Mon, Jun 13, 2011 at 10:50 AM, Nathan Loofbourrow njl...@gmail.com wrote: The good old market played a role here too. There are lots of investors whose risk profile dictates that they should be in safe investments, e.g. pension funds and old people. With the interest rates held on the floor,

Re: [cryptography] GOST attack

2011-06-14 Thread Nico Williams
On Tue, Jun 14, 2011 at 7:31 AM, Jean-Philippe Aumasson jeanphilippe.aumas...@gmail.com wrote: AFAIU this attack indeed needs store all 2^64 plaintext/ciphertext pairs, and needs 2^228 computations. This makes it less interesting than a generic codebook attack, which only needs the former 2^64

Re: [cryptography] crypto security/privacy balance (Re: Digital cash in the news...)

2011-06-15 Thread Nico Williams
On Wed, Jun 15, 2011 at 3:22 AM, Adam Back a...@cypherspace.org wrote: Well said StealthMonger, I suspect Nico is in the minority on this list with that type of view. I read Nico's later reply also.  Short of banning crypto privacy and security rights stand a better chance of being balanced

Re: [cryptography] crypto security/privacy balance (Re: Digital cash in the news...)

2011-06-15 Thread Nico Williams
On Wed, Jun 15, 2011 at 1:36 PM, StealthMonger stealthmon...@nym.mixmin.net wrote: Some folks do not choose to have a state.  For them, all states are foreign powers. That's nice, but not scalable. Scale that up enough and you have anarchy, which is just a temporary situation until a strongman

Re: [cryptography] Repeated Encryptions Considered.... ?

2011-06-19 Thread Nico Williams
On Sat, Jun 18, 2011 at 10:44 PM, Tom Ritter t...@ritter.vg wrote: There are legitimate reasons for *not* doing it, but they're more about the engineering. Twice as much code, twice as many possibilities for bugs.  Twice the key material, twice the key storage.  More work, no practical

Re: [cryptography] Repeated Encryptions Considered.... ?

2011-06-19 Thread Nico Williams
On Sun, Jun 19, 2011 at 7:01 PM, Jon Callas j...@callas.org wrote: That brings us back to the main question: what problem are you trying to solve? The OP meantioned that the context was JavaScript crypto, and whether one could forego the use of TLS if crypto were being applied at a higher

Re: [cryptography] Repeated Encryptions Considered.... ?

2011-06-19 Thread Nico Williams
On Sun, Jun 19, 2011 at 8:47 PM, Jon Callas j...@callas.org wrote: Why not send *all* your network traffic over TLS? Exactly. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-20 Thread Nico Williams
On Mon, Jun 20, 2011 at 2:09 PM, Marsh Ray ma...@extendedsubset.com wrote: There are certainly more bugs lurking where the complex rules of international character data collide with password hashing. How does a password login application work from a UTF-8 terminal (or web page) when the host

Re: [cryptography] IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM)

2011-06-20 Thread Nico Williams
On Mon, Jun 20, 2011 at 3:01 PM, Novikov, Lev lnovi...@mitre.org wrote: On 2011-06-19 12:38, Peter Gutmann wrote: Just one word really: Why? There is an existing class of devices and environments (e.g., military and diplomatic communications) which have particular requirements that are hard

Re: [cryptography] IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM)

2011-06-20 Thread Nico Williams
On Mon, Jun 20, 2011 at 8:47 PM, James A. Donald jam...@echeque.com wrote: On 2011-06-21 6:34 AM, Nico Williams wrote: The GSS-API has been growing extensions to deal with these situations by exposing more information to the application.  There's also some extensions by which to specify

Re: [cryptography] IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM)

2011-06-21 Thread Nico Williams
On Jun 21, 2011 8:16 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Nico Williams n...@cryptonector.com writes: Not so! Please point to some evidence if you wish to insist on this. GSS-API is pretty Kerberos-y. It may not have it directly baked in, but you really have to squint

Re: [cryptography] IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM)

2011-06-21 Thread Nico Williams
You might say that the GSS-API is very TL-y or SASL-y too, since MSFT's SSPI (which is very similar to the GSS-API) has an interface to TLS and to SASL as well as to NTLM and the Kerberos GSS mechanism. Martin Rex found the TLS renegotiation bug independently from Marsh Ray by thinking of how the

Re: [cryptography] IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM)

2011-06-21 Thread Nico Williams
I'm quite concerned about this section 5 of http://tools.ietf.org/html/draft-lanz-cicm-lm-00, and, really, everything to do with channels in CICM. My concern is that we already have a large number of technologies in the IETF for establishing channels[*]. Adding any more should require some

Re: [cryptography] Repeated Encryptions Considered.... ?

2011-06-21 Thread Nico Williams
On Tue, Jun 21, 2011 at 4:14 PM, Ian G i...@iang.org wrote: Why not send *all* your network traffic over TLS? The typical reasons for not using TLS would be (a) it's a stream-oriented point-to-point protocol, whereas most activity is app-level datagram-oriented, (b) it's too closely linked

Re: [cryptography] Repeated Encryptions Considered.... ?

2011-06-21 Thread Nico Williams
On Tue, Jun 21, 2011 at 5:38 PM, James A. Donald jam...@echeque.com wrote: The time is long overdue for an encryption protocol that is not layered on top of tcp, and which has protocol negotiation built in. It's called IPsec (KEs + ESP[/AH]). Unfortunately you kinda need an implementation of

Re: [cryptography] IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM)

2011-06-22 Thread Nico Williams
On Wed, Jun 22, 2011 at 7:17 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Marsh Ray ma...@extendedsubset.com writes: Right, so one of the lessons learned here was that if IETF had considered APIs and not just protocols those bugs in TLS would have been found long ago. A pen-tester I know

Re: [cryptography] IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM)

2011-06-23 Thread Nico Williams
On Wed, Jun 22, 2011 at 9:16 AM, Marsh Ray ma...@extendedsubset.com wrote: * There already are crypto APIs being defined in RFCs, they're just ad-hoc and lacking interoperability. E.g. http://tools.ietf.org/html/rfc6234#section-8.1 See also RFC3961 (the Kerberos V5 cryptosystem). Specifying

Re: [cryptography] Anti-GSS falsehoods (was Re: IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM))

2011-06-27 Thread Nico Williams
On Fri, Jun 24, 2011 at 11:00 AM, Marsh Ray ma...@extendedsubset.com wrote: On 06/24/2011 02:04 AM, Nico Williams wrote: Every bank that uses Active Directory uses Kerberos, and the GSS-like SSPI.  And the Kerberos GSS mechanism (through SSPI, on Windows).  The native Windows TLS

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-28 Thread Nico Williams
On Tue, Jun 28, 2011 at 2:09 PM, Sampo Syreeni de...@iki.fi wrote: On 2011-06-28, Marsh Ray wrote: Yes, but in most actual systems the strings are going to get handled. Is this really necessarily true, or just an artifact of how things are implemented now? Or even a simple-minded

Re: [cryptography] preventing protocol failings

2011-07-04 Thread Nico Williams
On Mon, Jul 4, 2011 at 6:28 PM, Sampo Syreeni de...@iki.fi wrote: Personally I've slowly come to believe that options within crypto protocols are a *very* bad idea. Overall. I mean, it seems that pretty much all of the effective, real-life security breaches over the past decade have come from

Re: [cryptography] preventing protocol failings

2011-07-12 Thread Nico Williams
On Tue, Jul 12, 2011 at 12:10 PM, Hill, Brad bh...@paypal-inc.com wrote: Re: H3, There is one mode and it is secure I have found that when H3 meets deployment and use, the reality too often becomes: Something's gotta give.  We haven't yet found a way to hide enough of the complexity of

Re: [cryptography] preventing protocol failings

2011-07-12 Thread Nico Williams
On Tue, Jul 12, 2011 at 5:36 PM, Andy Steingruebl a...@steingruebl.com wrote: I reject the SSH key management example though.  Especially if you've ever maintained a large number/variety of unix servers running SSH, where hardware failures, machine upgrades, etc. lead to frequent SSH key

Re: [cryptography] Symantec gets it wrong

2011-09-08 Thread Nico Williams
On Thu, Sep 8, 2011 at 1:53 PM, Adam Back a...@cypherspace.org wrote: btw Massive kudos to the comodo hacker if his 'sploits are accurately bragged, favor he did the SSL/PKI community indeed.  There were multiple files posted as trophies so I presume people have verified. Whether they're for

Re: [cryptography] Let's go back to the beginning on this

2011-09-12 Thread Nico Williams
On Sun, Sep 11, 2011 at 1:09 AM, Jon Callas j...@callas.org wrote: We're all in the middle of a maze trying to get back. It's easier to understand things if you start at the beginning and walk your way forward. (It's often even easier to start at the end and walk backwards, too, but I don't

[cryptography] Long posts: tl; dr (Re: PKI - and the threat model is ...?)

2011-09-12 Thread Nico Williams
On Mon, Sep 12, 2011 at 9:15 AM, M.R. makro...@gmail.com wrote: In these long and extensive discussions about fixing PKI there seems to be a fair degree of agreement that one of the reasons for the current difficulties is the fact that there was no precisely defined threat model, documented

[cryptography] Covergence as multiple concurrent, alternate PKIs; also, Convergence business models, privacy, and DNSSEC (not that long)

2011-09-14 Thread Nico Williams
I recently caught up with the rest of you and saw Moxie's Convergence presentation [on youtube]. I truly hesitate to post here; there have been so many long posts, that any additional ones are likely to result in tl;dr. I believe Convergence is... just another PKI, or set of PKIs, with some

Re: [cryptography] Nirvana

2011-09-22 Thread Nico Williams
On Sun, Sep 18, 2011 at 11:22 AM, M.R. makro...@gmail.com wrote: On 18/09/11 10:31, Ian G wrote: On the other hand, a perfectly adequate low-level retail transaction security system can best be achieved by using a trusted-third-party, SSL-like system. That's a marketing claim. Best ignored

Re: [cryptography] Bitcoin, was Nirvana

2011-09-26 Thread Nico Williams
On Mon, Sep 26, 2011 at 12:02 AM, Chris Palmer snackypa...@gmail.com wrote: On Sep 25, 2011, at 9:10 PM, James A. Donald wrote: Having a government apparatus to fix liquidity crises is not a solution.  I recommend instead bankruptcy, and indentured servitude to for those bankrupts whose

Re: [cryptography] Non-governmental exploitation of crypto flaws?

2011-11-28 Thread Nico Williams
The list is configured to set Reply-To. This is bad, and in some cases has had humorous results. I recommend the list owners change this ASAP. Nico -- ___ cryptography mailing list cryptography@randombit.net

Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

2011-11-30 Thread Nico Williams
If only we at least used passwords to derive secret keys for authentication protocols that could do channel binding... Sure, that'd still be weak, but it would be much, much better than what we have now. Nico -- ___ cryptography mailing list

Re: [cryptography] How are expired code-signing certs revoked?

2011-12-07 Thread Nico Williams
On Wed, Dec 7, 2011 at 8:12 PM, lodewijk andré de la porte lodewijka...@gmail.com wrote: I'm afraid far more effective just doesn't cut it. Android has install .APK from third party sources which you'll engage whenever you install an APK without using the market, trusted or not. You can just

Re: [cryptography] How are expired code-signing certs revoked?

2011-12-09 Thread Nico Williams
On Fri, Dec 9, 2011 at 4:08 PM, Steven Bellovin s...@cs.columbia.edu wrote: On Dec 9, 2011, at 3:46 18PM, Jon Callas wrote: If it were hard to get signing certs, then we as a community of developers would demonize the practice as having to get a license to code. Peter is talking about stolen

Re: [cryptography] How are expired code-signing certs revoked?

2011-12-09 Thread Nico Williams
On Fri, Dec 9, 2011 at 4:41 PM, Jeffrey Walton noloa...@gmail.com wrote: This strengthens the argument for digital signatures as a means of providing upgrade continuity and related application grouping / isolation, as in the Android model.  No need for a PKI then, no need to pay for

Re: [cryptography] How are expired code-signing certs revoked?

2011-12-09 Thread Nico Williams
I really would like the Android model to be elaborated on a fair bit. Users should be able to deny apps privileges that they request. Users should be able to label data with simple labels for additional isolation (think of it as multiple instances of apps). How does this relate to crypto?

Re: [cryptography] Password non-similarity?

2011-12-27 Thread Nico Williams
I'm assuming that at password change new password policy evaluation time you have both, the old and new passwords, in which case you can use Optimal String Alignment Distance for at least that pair of passwords. If you have only one password you can try a cookbook of transformations that users

Re: [cryptography] CAPTCHA as a Security System?

2012-01-02 Thread Nico Williams
On Mon, Jan 2, 2012 at 4:25 PM, Randall Webmail rv...@insightbb.com wrote: My neighborhood Wal*Mart has pretty much eliminated cashiers in favor of self-checkouts. [...] Wal*Mart is not stupid.   They know full well that a certain percent of shoppers will indeed walk out with a certain

Re: [cryptography] CAPTCHA as a Security System?

2012-01-02 Thread Nico Williams
On Mon, Jan 2, 2012 at 9:08 PM, John Levine jo...@iecc.com wrote: [...].  One of the advantages of having a working legal system is so that we can live reasonable lives with $20 locks in our doors, rather than all having to spend thousands to armor all the doors and windows, like they do in

Re: [cryptography] Well, that's depressing. Now what?

2012-01-27 Thread Nico Williams
On Fri, Jan 27, 2012 at 3:49 PM, Sven Moritz Hallberg pe...@khjk.org wrote: On Fri, 27 Jan 2012 13:39:44 -0500, Warren Kumari war...@kumari.net wrote: Surely I am missing something here? Or is that really the news? I thought the same thing and skimmed (very incompletely) through the paper.

Re: [cryptography] Well, that's depressing. Now what?

2012-01-27 Thread Nico Williams
[BTW, I held off saying anything until the first post. I'd wanted to see how long we could collectively avoid the same old QKD thread. It took five hours to the first post, fourteen to get to the first significant disagreement.] On Fri, Jan 27, 2012 at 8:43 PM, Noon Silk noonsli...@gmail.com

Re: [cryptography] Well, that's depressing. Now what?

2012-01-28 Thread Nico Williams
On Sat, Jan 28, 2012 at 2:33 AM, Noon Silk noonsli...@gmail.com wrote: On Sat, Jan 28, 2012 at 6:55 PM, Nico Williams n...@cryptonector.com wrote: Until we see scalable quantum authenticated quantum secrecy / key distribution, QKD is not suitable for production deployment. Right, but two

Re: [cryptography] Well, that's depressing. Now what?

2012-01-28 Thread Nico Williams
On Sat, Jan 28, 2012 at 5:45 PM, Noon Silk noonsli...@gmail.com wrote: On Sun, Jan 29, 2012 at 4:22 AM, Nico Williams n...@cryptonector.com wrote: I don't see how I could have been much more specific given the two things you quoted from me. As I said, you could point to specific products

Re: [cryptography] Proving knowledge of a message with a given SHA-1 without disclosing it?

2012-02-01 Thread Nico Williams
On Wed, Feb 1, 2012 at 3:49 AM, Francois Grieu fgr...@gmail.com wrote: The talk does not give much details, and I failed to locate any article with a similar claim. I would find that result truly remarkable, and it is against my intuition. The video you posted does help me with the intuition

Re: [cryptography] trustwave admits issuing corporate mitm certs

2012-02-12 Thread Nico Williams
On Sun, Feb 12, 2012 at 9:13 PM, Krassimir Tzvetanov mailli...@krassi.biz wrote: I agree, I'm just reflecting on the reality... :( Reality is actually as I described, at least for some shops that I'm familiar with. ___ cryptography mailing list

Re: [cryptography] trustwave admits issuing corporate mitm certs

2012-02-12 Thread Nico Williams
I'm sure the trend is currently the other way, yes, but with low-cost high-bandwidth wireless becoming more common it doesn't really matter, does it? And it all depends on the organization and it's risk taking profile. But to bring this back on topic: I'd rather see draconian corporate network

Re: [cryptography] Duplicate primes in lots of RSA moduli

2012-02-15 Thread Nico Williams
On Wed, Feb 15, 2012 at 5:57 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Alexander Klimov alser...@inbox.ru writes: While the RSA may be easier to break if the entropy during the key *generation* is low, the DSA is easier to break if the entropy during the key *use* is low. Obviously, if

Re: [cryptography] Duplicate primes in lots of RSA moduli

2012-02-16 Thread Nico Williams
On Thu, Feb 16, 2012 at 12:28 PM, Jeffrey Schiller j...@qyv.net wrote: Are you thinking this is because it causes the entropy estimate in the RNG to be higher than it really is? Last time I checked OpenSSL it didn't block requests for numbers in cases of low entropy estimates anyway, so line

Re: [cryptography] Applications should be the ones [GishPuppy]

2012-02-16 Thread Nico Williams
On Thu, Feb 16, 2012 at 8:45 PM, 2...@gishpuppy.com wrote: Nico Williams wrote: Applications (in the Unix sense) should not be the ones seeding the system's PRNG.  The system should ensure that there is enough entropy and seed its own PRNG (and mix in new entropy). Exactly the opposite

Re: [cryptography] Applications should be the ones [GishPuppy]

2012-02-17 Thread Nico Williams
Note that there may be times when the application definitely should initialize a PRNG (seeded from the OS' entropy system -- I still maintain that the whole system needs to work well). For example, when using cipher modes where IVs/confounders need to be random but also not re-used. In that case

Re: [cryptography] Duplicate primes in lots of RSA moduli

2012-02-17 Thread Nico Williams
On Fri, Feb 17, 2012 at 2:39 PM, Thierry Moreau thierry.mor...@connotech.com wrote: If your /dev/urandom never blocks the requesting task irrespective of the random bytes usage, then maybe your /dev/random is not as secure as it might be (unless you have an high speed entropy source, but what

Re: [cryptography] Duplicate primes in lots of RSA moduli

2012-02-17 Thread Nico Williams
On Fri, Feb 17, 2012 at 2:51 PM, Jon Callas j...@callas.org wrote: On Feb 17, 2012, at 12:41 PM, Nico Williams wrote: On Fri, Feb 17, 2012 at 2:39 PM, Thierry Moreau thierry.mor...@connotech.com wrote: If your /dev/urandom never blocks the requesting task irrespective of the random bytes

Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto

2012-02-19 Thread Nico Williams
On Sun, Feb 19, 2012 at 10:08 AM, Florian Weimer f...@deneb.enyo.de wrote: * Saqib Ali: Can somebody explain me how this so-called Homomorphic split-key encryption works? Isn't this just a protocal which performs a cryptographic primitive using split key material, without actually

Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto

2012-02-19 Thread Nico Williams
My guess is that since fully homomorphic systems will be very slow that one could use it to guard just a tiny secret. But what's the point? Who cares if you can protect the customer's keys, if you can't protect the customer's plaintext data? Nico --

Re: [cryptography] Duplicate primes in lots of RSA moduli

2012-02-20 Thread Nico Williams
On Mon, Feb 20, 2012 at 7:07 AM, Ben Laurie b...@links.org wrote: In FreeBSD random (and hence urandom) blocks at startup, but never again. So, not exactly a terribly wrong thing to do, eh? ;) What OSes have parallelized rc script/whatever nowadays? Quite a few, it seems (several Linux

Re: [cryptography] Constitutional Showdown Voided as Feds Decrypt Laptop

2012-03-01 Thread Nico Williams
IOW, I doubt mailman is how they got Fricosu's password. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Key escrow 2012

2012-03-25 Thread Nico Williams
On Sun, Mar 25, 2012 at 10:55 PM, Marsh Ray ma...@extendedsubset.com wrote: On 03/25/2012 11:45 AM, Benjamin Kreuter wrote: The US government still wants a No, probably parts of it: the ones that don't have to think of the big picture. The U.S. government is not monolythic. The NSA has shown

Re: [cryptography] Key escrow 2012

2012-03-30 Thread Nico Williams
On Fri, Mar 30, 2012 at 7:10 AM, StealthMonger stealthmon...@nym.mixmin.net wrote: Adam Back a...@cypherspace.org writes: Not sure that we lost the crypto wars.  US companies export full strength crypto these days, and neither the US nor most other western counties have mandatory GAK.  Seems

Re: [cryptography] Predictive SSH alternative for vt sessions 'Mosh: An Interactive Remote Shell for Mobile Clients'

2012-04-16 Thread Nico Williams
On Wed, Apr 11, 2012 at 11:06 AM, Marsh Ray ma...@extendedsubset.com wrote: http://mosh.mit.edu/ http://mosh.mit.edu/mosh-paper-draft.pdf Very interesting. It's basically a VNC/RDP-like protocol but for terminal applications. Hat's off to anyone brave enough to consider a correct and

Re: [cryptography] “On the limits of the use cases for authenticated encryption”

2012-04-25 Thread Nico Williams
I think Tahoe-LAFS is the exception to any rule that one should use AE, and really, the very rare exception. Not the only exception, though this type of application might be the only exception we want. A ZFS-like COW filesystem with Merkle hash trees should have requirements similar to Tahoe's,

Re: [cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning? (was: “On the limits of the use cases for authenticated encryption”)

2012-04-25 Thread Nico Williams
You'd have to ask Darren, but IIRC the design he settled on allows for unkeyed integrity verification and repair. I too think that's a critical feature to have even if having it were to mean leaking some information, such as file length in blocks, and number of files, as I look at this from an

Re: [cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning? (was: “On the limits of the use cases for authenticated encryption”)

2012-04-25 Thread Nico Williams
On Wed, Apr 25, 2012 at 10:27 PM, Marsh Ray ma...@extendedsubset.com wrote: On 04/25/2012 10:11 PM, Zooko Wilcox-O'Hearn wrote: 2. the verifier-oriented way: you make a secure hash of the chunk, and make the resulting hash value known to the good guy(s) in an authenticated way. Is option 2

Re: [cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning? (was: “On the limits of the use cases for authenticated encryption”)

2012-04-25 Thread Nico Williams
Also, On Wed, Apr 25, 2012 at 10:11 PM, Zooko Wilcox-O'Hearn zo...@zooko.com wrote: Hello Nico Williams. Nice to hear from you. Yes, when David-Sarah Hopwood and I (both Tahoe-LAFS hackers) participated on the zfs-crypto mailing list with you and others, I learned about a lot of similarities

Re: [cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning?

2012-04-26 Thread Nico Williams
On Thu, Apr 26, 2012 at 4:04 AM, Darren J Moffat darren.mof...@oracle.com wrote: On 04/26/12 04:52, Nico Williams wrote: You'd have to ask Darren, but IIRC the design he settled on allows for unkeyed integrity verification and repair. Yes it is.  That was a fundamental requirement of adding

Re: [cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning?

2012-04-27 Thread Nico Williams
On Fri, Apr 27, 2012 at 9:15 AM, ianG i...@iang.org wrote: Easy.  Take the hash, then publish it.  The data can be secret, the hash need not be. That works for git. In particular what's nice about it is that you get copies of the hash stored all over. A similar approach can work for

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

2012-05-01 Thread Nico Williams
The idea of using fresh certs (not necessarily short-lived) came up in the TLS WG list in the context of the OCSP multi-stapling proposal. So far the most important objection to fresh-lived certs was that it exacerbates clock synchronization issues, but I'm willing to live with that. Short-lived

Re: [cryptography] DIAC: Directions in Authenticated Ciphers

2012-05-02 Thread Nico Williams
On Wed, May 2, 2012 at 8:00 PM, D. J. Bernstein d...@cr.yp.to wrote: I should emphasize that an authenticated-cipher competition would be much more than an AE mode competition. There are certainly people working on new ways to use AES, but there are many more people working on new

Re: [cryptography] Master Password

2012-05-30 Thread Nico Williams
On Wed, May 30, 2012 at 2:32 AM, Jon Callas j...@callas.org wrote: (1) You take the master password and run it through a 512-bit hash function, producing master binary secret. You pick scrypt for your hash function, because you think burning time and space adds to security. I do not. This

Re: [cryptography] Master Password

2012-05-30 Thread Nico Williams
On Wed, May 30, 2012 at 3:25 PM, Maarten Billemont lhun...@lyndir.com wrote: I'm currently considering asking the user for their full name and using that as a salt in the scrypt operation.  Full names are often lengthy and there's a good deal of them.  Do you recon this might introduce enough

Re: [cryptography] Master Password

2012-05-31 Thread Nico Williams
On Thu, May 31, 2012 at 2:03 AM, Jon Callas j...@callas.org wrote: On May 30, 2012, at 4:28 AM, Maarten Billemont wrote: If I understand your point correctly, you're telling me that while scrypt might delay brute-force attacks on a user's master password, it's not terribly useful a defense

Re: [cryptography] Master Password

2012-05-31 Thread Nico Williams
On Thu, May 31, 2012 at 10:43 AM, Adam Back a...@cypherspace.org wrote: One quite generic argument I could suggest for being wary of scrypt would be if someone said, hey here's my new hash function, use it instead of SHA1, its better - you would and should very wary.  A lot of public review

Re: [cryptography] Master Password

2012-05-31 Thread Nico Williams
On Thu, May 31, 2012 at 2:03 PM, Marsh Ray ma...@extendedsubset.com wrote: On 05/31/2012 11:28 AM, Nico Williams wrote: Yes, but note that one could address that with some assumptions, and with some techniques that one would reject when making a better hash -- the point is to be slow

Re: [cryptography] Master Password

2012-06-07 Thread Nico Williams
On Thu, Jun 7, 2012 at 4:14 PM, Steven Bellovin s...@cs.columbia.edu wrote: There's another, completely different issue: does the attacker want a particular password, or will any passwords from a large set suffice? Given the availability of cheap cloud computing, botnets, GPUs, and botnets

Re: [cryptography] Key extraction from tokens (RSA SecurID, etc) via padding attacks on PKCS#1v1.5

2012-07-05 Thread Nico Williams
On Thu, Jul 5, 2012 at 9:17 AM, Martin Paljak mar...@martinpaljak.net wrote: On Tue, Jul 3, 2012 at 1:56 AM, Michael Nelson nelson_mi...@yahoo.com wrote: It also does not matter whether you are using pkcs11 APIs, and whether you are doing key wrap/unwrap, and whether the data is a key. Any

Re: [cryptography] abstract: Air to Ground Quantum Key Distribution

2012-09-18 Thread Nico Williams
On Tue, Sep 18, 2012 at 10:30 AM, Natanael natanae...@gmail.com wrote: Does anybody here take quantum crypto seriously? Just wondering. I do not see any benefit over classical methods. If one trusts the entire link and knows it's not MitM'd in advance, what advantage if any does quantum key

Re: [cryptography] ZFS dedup? hashes (Re: [zfs] SHA-3 winner announced)

2012-10-03 Thread Nico Williams
On Wed, Oct 3, 2012 at 9:19 AM, Dr Adam Back a...@cypherspace.org wrote: Incidentally a somewhat related problem with dedup (probably more in cloud storage than local dedup of storage) is that the dedup function itself can lead to the confirmation or even decryption of documents with

Re: [cryptography] [zfs] SHA-3 winner announced

2012-10-03 Thread Nico Williams
On Wed, Oct 3, 2012 at 7:41 AM, David McGrew (mcgrew) mcg...@cisco.com wrote: Are the requirements for the security of ZFS and the use of cryptography in that filesystem documented anywhere? https://blogs.oracle.com/bonwick/entry/zfs_end_to_end_data mentions a Merkle tree of checksums, where

Re: [cryptography] Secure Remote Password (SRP) and Plaintext Emil Address

2012-10-18 Thread Nico Williams
On Thu, Oct 18, 2012 at 7:52 PM, Jeffrey Walton noloa...@gmail.com wrote: I have a Secure Remote Password (SRP) implementation that went through a pen test. The testers provided a critical finding - the email address was sent in the plaintext. Noe that plaintext email addresses are part of the

Re: [cryptography] Secure Remote Password (SRP) and Plaintext Emil Address

2012-10-18 Thread Nico Williams
On Thu, Oct 18, 2012 at 8:36 PM, Nico Williams n...@cryptonector.com wrote: On Thu, Oct 18, 2012 at 7:52 PM, Jeffrey Walton noloa...@gmail.com wrote: I'm not really convinced that using an email address in the plaintext for the SRP protocol is finding-worthy, considering email addresses

Re: [cryptography] Secure Remote Password (SRP) and Plaintext Emil Address

2012-10-18 Thread Nico Williams
On Thu, Oct 18, 2012 at 9:40 PM, Jeffrey Walton noloa...@gmail.com wrote: I think Hash(email) or a UID (rather than email address) is the best course of action. UID doesn't work: the user must then remember it, and you don't want to burden them with that :( Nico --

Re: [cryptography] Just how bad is OpenSSL ?

2012-10-30 Thread Nico Williams
I strongly suggest you move to git ASAP. It's not hard, though some history can be lost in the move using off-the-shelf conversion tools. (MIT Kerberos recently moved from SVN to git, and before that, from CVS to SVN, and they seem to have done a lot of manual cleanup to avoid some losses of

Re: [cryptography] Just how bad is OpenSSL ?

2012-11-04 Thread Nico Williams
On Sun, Nov 4, 2012 at 8:42 AM, Ben Laurie b...@links.org wrote: On Sat, Nov 3, 2012 at 12:26 AM, James A. Donald jam...@echeque.com wrote: On Oct 30, 2012 7:50 AM, Ben Laurie b...@links.org wrote: The team has ruled out having the master at github. What is wrong with github? TBH, I

Re: [cryptography] openssl on git

2013-01-08 Thread Nico Williams
On Tue, Jan 8, 2013 at 12:06 PM, Jeffrey Walton noloa...@gmail.com wrote: Would you consider adding a hook to git (assuming it include the ability). Have the hook replace tabs with white space. This is necessary because different editors render tabs in different widths. So white space makes

Re: [cryptography] openssl on git

2013-01-08 Thread Nico Williams
On Tue, Jan 8, 2013 at 11:08 PM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Jan 8, 2013 at 9:30 PM, Nico Williams n...@cryptonector.com wrote: On Tue, Jan 8, 2013 at 12:06 PM, Jeffrey Walton noloa...@gmail.com wrote: Would you consider adding a hook to git (assuming it include the ability

Re: [cryptography] openssl on git

2013-01-08 Thread Nico Williams
And, of course, *all* the gate checkers need to be available to the developer, so *they* can run them first. No trial and error please. (One quickly learns to code in the target upstream's style and other requirements.) ___ cryptography mailing list

Re: [cryptography] Isn't it odd that...

2013-01-29 Thread Nico Williams
On Tue, Jan 29, 2013 at 9:40 PM, Thor Lancelot Simon t...@panix.com wrote: ...despite all the attacks we've seen on compresion-before-encryption, and all the timing atatacks we've seen on encryption, [...] ..we haven't really seen any known-plaintext key recovery attacks facilitated by

Re: [cryptography] Q: CBC in SSH

2013-02-11 Thread Nico Williams
On Mon, Feb 11, 2013 at 4:45 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: There have been attacks on SSH based on the fact that portions of the packets aren't authenticated, and as soon as the TLS folks stop bikeshedding and adopt encrypt-then-MAC I'm going to propose the same thing for

Re: [cryptography] Q: CBC in SSH

2013-02-11 Thread Nico Williams
On Mon, Feb 11, 2013 at 4:57 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Nico Williams n...@cryptonector.com writes: On Mon, Feb 11, 2013 at 4:45 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: There have been attacks on SSH based on the fact that portions of the packets aren't

Re: [cryptography] Q: CBC in SSH

2013-02-11 Thread Nico Williams
On Mon, Feb 11, 2013 at 6:04 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Nico Williams n...@cryptonector.com writes: I'd go further: this could be the start of the end of the cipher suite cartesian product nonsense in TLS. Just negotiate {cipher, mode} and key exchange separately

  1   2   >