results: SSH was pretty much always used
in accordance with its original design-assumptions, whereas SSL was
pretty much never used in accordance with its original design-assumptions.
iang
[0] This of course is the problem with designing for a problem you
haven't any evidence of exist
ious indicator of security; it didn't solve the real problem, but it
itself wasn't much of an issue until attackers started embarrassing it
by invading its design space with attacks.
iang
[0] that's a bit of a misnomer, even cryptographers warn the builders of
crypto tools th
On 21/09/11 03:32 AM, Jeffrey Walton wrote:
On Tue, Sep 20, 2011 at 1:09 PM, ianG wrote:
On 18/09/11 20:02 PM, M.R. wrote:
On 18/09/11 08:59, James A. Donald wrote:
If we acknowledge that SSL is not secure, then need
something that is secure.
Nothing is either "secure", or &
good term! Add my use: There is a universal implicit
cross-certification in the secure browsing PKI, and the industry knows
it, or should know it.
Indeed, we can show evidence of this in Chrome's CA pinning.
iang
[0] Gross or criminal ne
k.
Is it possible that nobody really wanted smime to work?
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
. CA server certifies that the owner of the private key
corresponding to this public key is capable of receiving email at the
address, emails certificate it back to ostensible email address.
Right, easy enough. What the CA would need to do is figure out a way to
add some
ed a quality
approach, just a compliance approach.
It's not personal :) It's just business.
You see the same effect of compliance in other industries, the famous
example we talk about is Sarbanes-Oxley and securitization and the race
to global bankruptcy :)
x
iang
_
lier, and put it
on to a single purpose machine.
iang
[0] Which I call high security. Banking I generally call medium
security ... anything using web browsers isn't really serious IMHO.
___
cryptography mailing list
cryptography@randombit.ne
oncept.
The advantage of this approach is that the banks would get better
protection too, because some of the client-side innovations ("secure
bookmarks") would help a lot with phishing.
Absolute nirvana!
Assuming one takes the current infrastructure as a starting point :)
Pretty sad, really. So few lines, so
many phishes.
iang
PS: Sorry, Peter, I'm just rehashing a lot of the content in the
slides. ...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
nd needs of the differing
participants. In contrast, a non-well-behaved market often is
constrained under some arbitrary compliance level which suits no-one.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
understand why this doesn't work is to look up OODA loops.
The consequences of this will destroy a number of myths about security
and the Internet...
iang
[0] Dealing with phishing is all about risks, not about theoretical
binary security thinking. For most part that's because the ven
un to watch and play, not recommended to invest :P
iang
[0] Actually, DigiCash used the same design, they just hid it coz the
cypherpunks didn't like it :)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.n
plosion of sites &
contexts) ... they won't work to make client certs better.
All of this (again) aligns well with key continuity / pinning / and
various other buzzwords. But, really, you have to try it. There's no
point in talking about it.
iang
[0] Where, logged in means,
like user
cutomized
dialogs where the hostile site cant know the customization.
Right.
iang
Adam
On Mon, Sep 26, 2011 at 07:52:20AM +1000, ianG wrote:
On 25/09/11 10:09 AM, James A. Donald wrote:
On 2011-09-25 4:30 AM, Ben Laurie wrote:
I'm just saying I think its hard to detect whe
o can provide useful insights into crypto
problems ;)
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
On 26/09/11 20:28 PM, StealthMonger wrote:
Drill Grandma on one thing:
...REMEMBER THE KEY ID.
Actually, this is not only a reasonably interesting idea, it's part of
the PKI model. If Grandma gets defrauded by a false cert, and wants
some remedy, she has to identify who it was. Typic
On 28/09/11 00:17 AM, M.R. wrote:
On 25/09/11 21:52, ianG wrote:
... Any client cert is better than the current best saved
password situation, because the technical security of a
public key pair always exceeds a password...
Client certs are not a practical solution for retail and other
low
in the browser platform until such time as it can be
leveraged against the enterprise in an attack. So just delete it.
Third, for those CAs that remain, take a few moments to interact with
the CAs...
He's advising that the enterprises replace the root list. Question then
is .. how f
On 1/10/11 22:11 PM, William Allen Simpson wrote:
I started reading this thread, and then left it alone, and am catching
up.
It's hard to know where to start, so changing the subject a little.
:)
On 9/20/11 12:51 PM, ianG wrote:
On 20/09/11 01:53 AM, Andy Steingruebl wrote:
SSH do
ng plant.
The business has been declared a legal munition since forever, and the
NSA's cute trick has been turned on its own flock.
Whaddya guys need? A declaration of war?
The name of this syndrome is called "being locked in ones own OODA
loop.&
Another meta question: I seem to have missed the news that RSA has
stopped their factoring challenge in 2007!
http://en.wikipedia.org/wiki/RSA_Factoring_Challenge
Has anything replaced it? This is a great loss, what on earth where RSA
thinking?
iang
On 19/10/11 01:51 AM, Paul Hoffman wrote:
On Oct 18, 2011, at 4:10 AM, ianG wrote:
Another meta question: I seem to have missed the news that RSA has stopped
their factoring challenge in 2007!
http://en.wikipedia.org/wiki/RSA_Factoring_Challenge
Has anything replaced it? This is a great
On 19/10/11 02:42 AM, Paul Hoffman wrote:
On Oct 18, 2011, at 8:24 AM, ianG wrote:
On 19/10/11 01:51 AM, Paul Hoffman wrote:
On Oct 18, 2011, at 4:10 AM, ianG wrote:
Another meta question: I seem to have missed the news that RSA has stopped
their factoring challenge in 2007!
http
any particular reason why PCI(e) is preferred as a hardware
interface?
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
his is the problem with a system that doesn't deliver a result that can
be correlated to its claimed purpose. C.f. Dan Geer's comment.
http://financialcryptography.com/mt/archives/001255.html
To live in interesting times!
iang
___
cryptograph
hidden services) when server impersonation
occurrs.
As far as I can see, this is a third party repository for the keys.
Which claims to reliabily deliver the keys on request?
Is that it?
iang
___
cryptography mailing list
cryptography@randombit.net
http
o let us
know where the borders lie.
To be fair to Steve, although we've been bandying the term "toy crypto"
and cousins around for a while, we haven't really defined it. It's a
bit like american pornography, we know it when we see it.
iang
__
long thread on the evils and frailties of PKI.
Yeah.
If you are doing research to document the state of real breaches, that
would be valuable info.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
rs to cover all certs from all CAs, and test on the certificates
not the serial numbers?
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
he certs from other CAs?
Is this in anyway a cause for action in contract? Is this a caused for
revocation?
If a CA is issuing sub-CAs for the purpose of MITMing, is this a reason
to reset the entire CA? Or is it ok to do MITMing under certain
On 1/12/11 15:10 PM, Peter Gutmann wrote:
ianG writes:
Is this in anyway a cause for action in contract? Is this a caused for
revocation?
And given that you have to ask the MITM for the revocation information, how
would you revoke such a cert?
Wait! Mallory has delivered Alice a valid CA
e & beyond to get at them.
Unknown whether it stores certs that you reject.
iang, now about that drink...
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
ke any sense of it, that's the property
of a message digest.
But if it's a worry, rewrite it?
int sum = 0;
for (i = 0; i < digest.length; i++)
sum += abs(digest[i] - hash[i]);
return (0 == sum);
(Just thinking about it, not
whatever, do it from your home system.
I don't think that is a reliable presumption any more. There have been
numerous court cases that have trashed the simple "corporate assets"
presumption.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
On 3/12/11 03:14 AM, ianG wrote:
... Except, *natural person* rights can't be *reliably* contracted away.
oops, fix bloopers. wish we had time to be lawyers too...
iang
___
cryptography mailing list
cryptography@randombit.net
On 3/12/11 03:36 AM, Ben Laurie wrote:
On Fri, Dec 2, 2011 at 4:14 PM, ianG wrote:
On 2/12/11 23:00 PM, Peter Gutmann wrote:
I guess if you're running into this sort of thing for the first time then
you'd be out for blood, but if you've been aware of this it going on for
mor
mad bus driver).
And move on...
If there is any more time, spend it trying to get rid of the
hash-over-one-secret thing.
I'm assuming you don't care, coz of md5(secret). If you do care more,
the answer is probably to use a better construct, HMAC or
challenge/response
ings, the
CA is fully responsible and the Auditor rules over the entire hierarchy
[0]. (I for one am mollified. Others remain less so.) So I'd rewrite
the above last part to say, and your CA gets dropped from the root list
of major vendors.
What is the earliest sighting of a DPI-inspi
int?
We need to see those MITM certs. So we can understand what the nature
of the breach is.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
caused the outsourcing of the hacking business
to places east of Europe, and the increase in profits potential.
Oh well. I suppose the market cap for facebook and google justifies it.
iang
___
cryptography mailing list
cryptography@randombi
y that produces so-called digital signatures actually means in
semantic or legal terms. It's turtles all the way down.)
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
MITM a reason to pull a root? Sufficient reason?
Or, what is?
And, is that it? We'll keep burying roots until the pain goes away?
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
ng else is up to you. Good luck!
Now Peter G's question. The answer is simple, it doesn't matter. It
doesn't speak to the purpose of revocation, so it can be anything you
desire. Knock yourself out...
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
's website connection had to
perverted in some way as well. It's simply exploring how the dual
channel (cell) was broken.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
privacy hack than a
crypto-system hack. I'm presuming it did but the article doesn't seem
to say.
Is there more detail?
+1
iang
http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwebwerel
On 8/12/11 09:55 AM, Jon Callas wrote:
On 7 Dec, 2011, at 11:34 AM, ianG wrote:
Right, but it's getting closer to the truth. Here is the missing link.
Revocation's purpose is one and only one thing: to backstop the liability to
the CA.
I understand what you're saying, bu
Therefore, the CRL/OCSP certs for a root can only be revoked at software
level.
--dan, quite possibly in a rat hole
iang, we're all in rat holes together
[0] Unlike PGP where self can revoke self; there are no layers.
___
cryptograp
etermine that this tie has been made, and that the
tie has sufficient value to assure him, etc.
Yeah, so the protocol known as signing changes depending on the purpose
and value :)
(Oh, yeah, and that's before we get to non-repudiation which
clashes with law principles a
out what users do
and create a tolerable practice for meeting them in the middle...
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
enjoyed a resurgence with skimming attacks on payment systems, with
attackers either being present or mounting cameras above the keypad to
catch the finger presses.
iang, hny, fwiw, typing fast...
___
cryptography mailing list
cryptography
On 1/01/12 18:09 PM, coderman wrote:
On Sat, Dec 31, 2011 at 9:36 AM, ianG wrote:
...
When I was a rough raw teenager doing this, I needed around 2 weeks to pick
up 5 letters from someone typing like he was electrified. The other 3 were
crunched in 4 hours on a vax780.
how many samples
money
can be yanked right back out again. (Never mind that she already sent
the money to another jurisdiction...)
The thing is, just because a security mechanism doesn't seem to
translate to technological space doesn't mean it doesn't have legs.
iang
_
from the
output into the mixer. SHA1 should be fine for that, and if that's not
good, just up the generation to SHA2.
my 2 bits of entropy...
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
never faced a threat are now likely
going face the music.
It's a bit like economics and finance. Predictions before the fact were
washed out in the general noise of buy, buy, buy... And predictions
after the fact aren't so satisfying :)
iang
__
hing with SSL.
It is ... sadly the case that the market for security is not a real
market in the sense of good information symmetrically held by all.
Instead it is a market in silver bullets (google). This is just another
silver bullet.
iang
___
cr
dollars, and what it does isn't nearly interesting enough.
It's straight forward economics, really.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
On 29/01/12 11:50 AM, Noon Silk wrote:
On Sun, Jan 29, 2012 at 11:31 AM, ianG wrote:
On 29/01/12 10:45 AM, Noon Silk wrote:
... it's not sensible to say "QKD is snake
oil", without direct reference to something.
Well, if you don't like the conclusion, there are boo
On 29/01/12 13:54 PM, Noon Silk wrote:
On Sun, Jan 29, 2012 at 1:03 PM, ianG wrote:
[...]
It seems to me that you are resting on a sort of philosophical assumption
that pure research is pure, neither good nor bad. If that is the case, the
problem with this assumption is that QKD is not
Hi Bill,
tongue firmly in cheek,
On 1/02/12 05:50 AM, Bill Squier wrote:
On 01/31/2012 05:21 AM, ianG wrote:
major software product that still calls self-signed certificates
"snake-oil" certificates. Which is upside down, the use of the term
itself can be snake-oil recursively.
On 3/02/12 10:55 AM, Bill Squier wrote:
On Feb 2, 2012, at 6:25 PM, ianG wrote:
Hi Bill,
Actually, Marsh wrote those words, but my mail client decided I really needed
to take credit for them... on the order of 6 or 8 times.
-wps
Oh, ok! My apologies. I saw the mixup and assumed that
users and which sites they're visiting" does
not extend to Google itself, which already has much more detailed
information about its users.
With a dubious motive and no clear advantage over the existing
infrastructure, I'm underwhelmed.
iang
___
untenable in company with "trust". Or as I put it, the jaws of trust
just snapped shut:
http://financialcryptography.com/mt/archives/001359.html
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
owledge of
the owner. Or any information really...
Obviously we all want to know who and how many ... but right now is not
the time to repeat demands for full disclosure. Right now, vendors need
to decide whether they are dropping CAs or n
nd reliance thing; users
put a lot of their trust in Mozilla.
iang
Ralph
On 02/14/2012 03:31 AM, ianG wrote:
Hi all,
Kathleen at Mozilla has reported that she is having trouble dealing with
Trustwave question because she doesn't know how many other CAs have
issued sub-roots that do MITMs
couple of test vectors, so it is possible to know whether you got it right.
As a data point, it took myself and a mate one weekend to code it from
standard, once upon a time. Working together.
Just a thought :)
iang
On 17/02/12 09:33 AM, Jonathan Katz wrote:
I'm looking for a stand-
rfect" PRNG as per
the NIST concept of fully deterministic, fully testable, and it is up to
the User to provide the entire seed.
If the User chooses to hook her RNG output up to her PRNG input, then
that works too, but she's then in charge of both variables.
iang
___
ne timesource.
All of these devices look good on paper but have some edge cases. One
way is to cram them all into the IV as one lump:
random||counter||time
With most algorithms these days, you've got 16 bytes in the first block.
Thanks,
-kevin
iang
_
There is an inability on the part of some security people and all
the media to accept that some designers have accepted a risk rather than
stomp it dead.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
s, or
that the NSA changed them...
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
a and calling levels, a 5 x developer
penalty, and an obsession about the metal not the customer.
Could be worse I suppose. Some days it seems that Javascript crypto is
inevitable.
Even I haven't gone that far :) I should tho.
iang
___
t the balance right.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
quot;all-in-one" thinking over to entropy source plus
deterministic mixer is quite inspired. Point being, they solved half
the problem; they'll be open to the other half?
iang
On 23/02/12 08:55 AM, Marsh Ray wrote:
On 02/22/2012 09:32 AM, Thierry Moreau wrote
Hi James,
On 23/02/12 11:16 AM, James A. Donald wrote:
On 2012-02-23 9:07 AM, ianG wrote:
Um. I feel exactly the reverse. I feel uncomfortable with crypto code
written in languages that guarantee buffer overflows, stack busting
attacks, loose semantics at data and calling levels, a 5 x
ve a very naive concept of entropy...where/when to use it and
from where and how to obtain it.
Yes, crypto seems to be in layers. Block algorithms. Modes, and
implications. The rest. The game is to push more of it back down to
"algorithms".
iang
__
lly beat anything, they can only make it crime-exclusive. (you
make it illegal and only those that don't care about the law can use it.)
That's it! Now, leave aside the libertarian hopes and the politics and
the freedom bias and right to code and the "this time it's different"
and unlike the banker apologists who just assume that the agreed &
received wisdom of central banking will work if we just try harder.
Presenting how the economy works in less than one paragraph does raise
difficulties for us all :)
iang
___
crypto
x27;re mute.
Keep reminding meanwhile, he said:
>> Ditto. One other thing that you need
>> to add, the police are very, very good
>> at getting information out of people.
>> They've been doing it with hardened
>> criminals
On 25/02/12 18:50 PM, Jon Callas wrote:
"...We're not *stupid*."
Once upon a time ...ok skip the annoying anecdote and get to the question:
What would be the smallest steganography program that someone could type
in and use to hide ones secret archive in plain site?
iang
s not only theoretical:
https://bitcointalk.org/index.php?topic=16457.0
http://ulf-m.blogspot.com.au/
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
ps" list
after they have done some study.
Not everyone agrees...
iang
PS: if I wrote it again I'd drop the 7. I'm 3 times over the current
journalistic trend of "5 things you must know in order to achieve
happiness in all things."
a few. And
they did so more or less naturally following good design processes. A
particularly indicative data point is SSH which offered both client-side
keys and passwords, and the latter sort of fell by the wayside.
iang
___
cryptography mailing
ering. Do the job at the lower layer, and re-do
the job at the higher layer. Resiliance from failures.
Nothing to do with crypto, gets you zero marks in class. But as an
software or systems engineer, it's obvious, a no-brainer.
iang
[1] there is one way I've come across to comb
rger?
OK, that's a significant factoid - the goal is in sight.
It's also interesting that they are justifying the goal to hoover
everything up as needed for future cryptanalysis material for when they
can break the codes.
iang
___
crypt
But AES-cracking is the cover-plan.
"We're almost there, the new computer being built this year will make a
huge difference, a real breakthrough!"
Perfect.
(They have a mandate for the second, not the first... and the second
deliver
On 19/03/12 12:31 PM, ianG wrote:
... So after a lot of colour, it is not clear if they can break AES.
Yet. OK. But that is their plan. And they think they can do it, within
their foreseeable future.
So, step into NSA's shoes. If there is a timeline here we (NSA) worked
out we can
uot;exogenous pain of reality." If you leave the chat records on your
laptop, which is seized and used as evidence against you, you're
perfectly screwed.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
do you mean by fuzzers?
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
On 26/03/12 12:22 PM, Seth David Schoen wrote:
ianG writes:
On 26/03/12 07:43 AM, Jon Callas wrote:
This is precisely the point I've made: the budget way to break crypto is to buy
a zero-day. And if you're going to build a huge computer center, you'd be
better off building f
ion (a.k.a. "mining"), which last about 48 hours. However,
back-of-the-envelope calculations by yours truly indicate that a
100,000-node botnet would not contribute even 10% of the hash rate
seen in the dip.
Good observations and calculations. So,
time, but the government types who were talking up the
concept blasted it as merely a way to mock (using that very word) the concept.
And therein lies another story! Which always seems to end: and then we
lost the crypto wars. I treat it as a
still time to figure out how to get people to use crypto, all
is not yet lost!
Yeah. New applications is the opportunity. We saw this in Skype, when
a new field was not subject to the old domination. We didn't so much
see it with social networks, but there is something of it in there.
me to mind?
Debian optimisation of input to TLS code?
Possibly XOR related adventures, or RNGs.
Sound like a good enquiry for an article.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
ed off
at his prior failures, and personally suspected the communications
channels were leaking his secrets, so all the orders were sent by
motor-cycle couriers. E.g., Hitler was right. His generals were wrong.
(This seemed to happen often enough to
hile, back to crypto...
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
lse's comments as well.
On Mon, Feb 20, 2012 at 7:11 AM, ianG wrote:
On 20/02/12 18:11 PM, Kevin W. Wall wrote:
Hi list,
This should be a pretty simple question for this list, so please pardon
my ignorance. But better to ask than to continue in ignorance. :-)
NIST refers to "combine
to keep new bunnies hopping...
iang
[0] Dan Geer's delta argument.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
on. And software engineering's got your back.
That's not to say that the SHA3 comp was unneeded. But it wasn't the
same level of necessity that AES had.
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
sfers, documentation,
testing recovery paths, training, maintenance contracts, upgrades, etc.
In comparison to the null project, not using them (e.g., using straight
servers in locked racks etc).
tia,
iang
___
cryptography mailing list
cryptography@randombi
.)
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
1 - 100 of 421 matches
Mail list logo