Edward Ned Harvey (blu) wrote:
But guess what. That's why puttygen and truecrypt don't rely on the
kernel prng for key generation. They require you to generate your
own entropy via mouse control.
Which is no guarantee of any sort at all. Fact is, even people with the
mathematical chops to
From: Kent Borg [mailto:kentb...@borg.org]
Sent: Wednesday, August 14, 2013 10:25 AM
But you don't mean AES-128 can be broken today with 2^64 operations, do
you? That sounds wrong--or theoretical.
I found my book (Cryptography Engineering) and looked it up. The answer is:
Most modern
Richard Pieri richard.pi...@gmail.com writes:
Jerry Feldman wrote:
I't has been a while, but if I recall, Derek was on a team that cracked
an RSA key. I don't remember the details,but I still remember Derek's talk.
RSA issued a number of factoring challenges for a range of RSA key
sizes
Jerry Feldman wrote:
I't has been a while, but if I recall, Derek was on a team that cracked
an RSA key. I don't remember the details,but I still remember Derek's talk.
RSA issued a number of factoring challenges for a range of RSA key sizes
from 100 to 2048 bits:
On 08/15/2013 06:35 PM, Edward Ned Harvey (blu) wrote:
[...] That's why I only *use* cryptography and don't *create* it. I
read a book and took a class on how to *use* cryptography. I am
utterly unqualified to create ciphers and hashes.
You make such a valuable point.
No one should think
Richard Pieri richard.pi...@gmail.com writes:
Richard Pieri wrote:
Your 4096-bit asymmetric key is either RSA or DH, both of which are VERY
slow algorithms, too slow for general use.
I correct myself: RSA or DSA. Not DH.
Actually you were correct the first time. When you create a DSA key
From: Kent Borg [mailto:kentb...@borg.org]
Sent: Friday, August 16, 2013 8:56 AM
Over the years I have spent a lot of time paying attention to
cryptography and feel like I have reached the most basic level of
competence
Read Cryptography Engineering (surprisingly a quick read) and take the
Kent,
Critique and review of ciphers is not that simple. Compare RSA to RC4,
both developed in part or in total by Ron Rivest. On paper, RSA is a
weak algorithm while RC4 is a strong one. In practice, however, RC4 was
found to be weak through experimentation while RSA has withstood attack.
On 08/16/2013 11:14 AM, Edward Ned Harvey (blu) wrote:
Read Cryptography Engineering (surprisingly a quick read)
I am at work right now, but I think I already have a copy at home.
Looking at preview pages from Google Books everything looks terribly
familiar.
(But terribly familiar doesn't
On 08/16/2013 11:36 AM, Richard Pieri wrote:
You need to know how to attack ciphers if you want to critique them.
That's why you need a formidable enough reputation, and even possibly an
AES-style competition, to get enough public crypto talent beating on
your algorithm.
And even that
From: Kent Borg [mailto:kentb...@borg.org]
Sent: Friday, August 16, 2013 11:47 AM
On 08/16/2013 11:14 AM, Edward Ned Harvey (blu) wrote:
Read Cryptography Engineering (surprisingly a quick read)
I am at work right now, but I think I already have a copy at home.
Looking at preview pages
From: Kent Borg [mailto:kentb...@borg.org]
Sent: Wednesday, August 14, 2013 10:25 AM
But you don't mean AES-128 can be broken today with 2^64 operations, do
you? That sounds wrong--or theoretical.
That is what I'm saying, but it was at least a year or two ago I read that, and
I can't seem
Agreed. But, breaking the session key only works for a single message or
a single session. If they want to target a specific individual, breaking
the RSA/DSA keys will give them access to all encrypted messages.
(within the context is that a sent message is encrypted by the
recipient's public
On 08/14/2013 06:34 AM, Jerry Feldman wrote:
Agreed. But, breaking the session key only works for a single message
or a single session. If they want to target a specific individual,
breaking the RSA/DSA keys will give them access to all encrypted
messages. (within the context is that a sent
From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss-
bounces+blu=nedharvey@blu.org] On Behalf Of Daniel Barrett
In the absence of the 4096-bit private half of my key, how hard is it
to decrypt the session key by brute force and thereby decrypt file
Foo? Do the time arguments
That depends on the cipher in use and if it supports perfect forward
secrecy or not.
http://en.wikipedia.org/wiki/Perfect_forward_secrecy
On 08/14/2013 06:34 AM, Jerry Feldman wrote:
Agreed. But, breaking the session key only works for a single message or a
single session. If they want to
On 08/13/2013 05:04 PM, Jerry Feldman wrote:
The real issue is determining who and what to monitor.
That is the key. For years the idea is that the NSA is selective and
decides what traffic to analyze, what messages to try to decrypt, what
targets to actively attack (with such things as a
On 08/13/2013 04:47 PM, Jerry Feldman wrote:
Let's take the situation: NSA is watching you.
They can intercept your email, crack your RSA or DSA key, and then
they can discover the session keys. They are not interested in
everybody's random encrypted emails, so if they focus on individuals
On 08/13/2013 04:30 PM, Daniel Barrett wrote:
In the absence of the 4096-bit private half of my key, how hard is it
to decrypt the session key by brute force and thereby decrypt file
Foo? Do the time arguments from this KeePass discussion apply?
There are three approaches they can take, sorted
Jerry Feldman wrote:
recipient's public key), so to make this bidierctional they need to
break 2 keys, so the job gets more difficult. Breaking the session key
The public key is more easily recovered from, say, a public key server.
This requires no effort at all.
It may be easier -- and it
On 08/14/2013 09:38 AM, Edward Ned Harvey (blu) wrote:
From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss-
bounces+blu=nedharvey@blu.org] On Behalf Of Kent Borg
Bruteforcing
128-bits is impossible. Bruteforcing 256-bits is 128-bits times as
impossible.
Careful here. Someday,
On 08/14/2013 07:36 AM, Kent Borg wrote:
On 08/14/2013 06:34 AM, Jerry Feldman wrote:
Agreed. But, breaking the session key only works for a single message
or a single session. If they want to target a specific individual,
breaking the RSA/DSA keys will give them access to all encrypted
On 08/14/2013 10:03 AM, Richard Pieri wrote:
Certificate + handshake = session key = decrypted session in real
time. Any user, any session, any time, any reason. No cryptanalysis
needed. No brute force needed.
Yes, if the communications uses a broken (lack of) key exchange.
Stupidly, SSL
Kent Borg wrote:
I didn't realize that SSL was so stupid. Rather important technology
was left out of SSL, even though it was already two years old at that
point. Grrr.
It wasn't left out. It was intentionally excluded. Back in the day,
Netscape was under ITAR munitions restrictions. They
On 08/14/2013 12:45 PM, Richard Pieri wrote:
Do you finally get what I've been on about?
You have good points.
But I still return to my harping that anything that bends the cost curve
up for the NSA ruins their idea of snooping on everything. For example,
the third of SSL traffic with good
Kent Borg wrote:
Everything is just too big to afford if not at really low bulk rates.
Even for the NSA.
It's the other way around. The more that is encrypted, the more known
text the NSA has available for side-channel attacks. The more that is
encrypted, the more chances of a hash collision
It may not be easier, but it would be more effective when monitoring
specific people.
On 08/14/2013 10:03 AM, Richard Pieri wrote:
Jerry Feldman wrote:
recipient's public key), so to make this bidierctional they need to
break 2 keys, so the job gets more difficult. Breaking the session key
Jerry Feldman wrote:
It may not be easier, but it would be more effective when monitoring
specific people.
Yes, well, we all know how well the USA PATRIOT Act and Protect America
Act have curtailed warrantless surveillance of the general population.
The most effective use of large-scale
On 07/24/2013 10:32 AM, Kent Borg wrote:
I don't know current estimations, but I would use the following
guidelines for an encryption key:
32-bits of entropy: stops a naive individual with a day-job
80-bits of entropy: stops a small organization
100-bits of entropy:
Guess that is why I like the idea of 4096 bit keys.
Paranoid? Only slightly.
Overkill? Who knows what is coming next.
Would I like it to be better than that? Yes.
Do I use is ALL THE TIME? No, not QUITE that paranoid. Now where did
I leave my tin foil hat?
... Jack
The NSA has computing facilities measured in acres.
That we pay for. Thank you.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss
On 08/13/2013 10:43 AM, Jack Coats wrote:
Guess that is why I like the idea of 4096 bit keys.
At 4096 I think you are talking about RSA or similar asymmetrical keys.
Symmetrical keys are far smaller for similar strength. The strength of
symmetrical keys are also far easier to estimate, and
128-bits of entropy:stops the NSA
Does this discussion apply to public-key encryption, say, cracking a
GPG-encrypted file without the private key? Or just to symmetric
encryption where you just have to guess a password?
Just wondering how safe a file is when encrypted with a 4096-bit
Kent Borg wrote:
I feel like you want me to draw a conclusion. Are you saying 80-bits is
not pretty dang good? Or are you saying Snowden's trillion a second
was wrong? Or something else?
I described a home-brew, trillion per second brute force engine that can
fit in half a rack of
Daniel Barrett wrote:
Just wondering how safe a file is when encrypted with a 4096-bit GPG key.
GPG doesn't work that way.
Your 4096-bit asymmetric key is either RSA or DH, both of which are VERY
slow algorithms, too slow for general use.
When you encrypt a message, the encryption engine
Richard Pieri wrote:
Your 4096-bit asymmetric key is either RSA or DH, both of which are VERY
slow algorithms, too slow for general use.
I correct myself: RSA or DSA. Not DH.
--
Rich P.
___
Discuss mailing list
Discuss@blu.org
On 08/13/2013 01:29 PM, Richard Pieri wrote:
If I did my math right, a facility like that can brute-force any
80-bit key in about 32 hours.
I'll accept your math, and it makes my point. You describe a facility
that can only brute-force a couple hundred 80-bit keys a year. Which
means
Richard Pieri writes:
If I did my math right, a facility like that can brute-force any 80-bit
key in about 32 hours.
If they want to intercept and decrypt *all* traffic, that means decrypting
more than one key.
I have no idea how much daily encrypted traffic passes through the Internet
on an
Kent Borg wrote:
I'll accept your math, and it makes my point. You describe a facility
that can only brute-force a couple hundred 80-bit keys a year. Which
means brute-forcing 80-bit keys is not something routine and cheap for
the NSA, not when they think they need a plaintext copy of
On August 13, 2013, Richard Pieri wrote:
GPG doesn't work that way[...]
When you encrypt a message, the encryption engine generates a random
session key. This session key is used to encrypt the message using a
symmetric cipher (GnuPG uses CAST-128 by default). The session key is
then encrypted
But - and this is important -- once a given recipient's key is cracked
it remains cracked forever.
Nope, sorry, each individual message has its own unique session key.
Cracking the session key on one particular message tells you nothing
about the session key on subsequent messages.
On Tue,
If you're talking about the NSA breaking into each and every person's home
and copying their pgp keys off their desktop machine, that's an entirely
separate question from intercepting encrypted email traffic as it passes
across the Internet.
On Tue, Aug 13, 2013 at 4:33 PM, John Abreau
Let's take the situation: NSA is watching you.
They can intercept your email, crack your RSA or DSA key, and then they
can discover the session keys. They are not interested in everybody's
random encrypted emails, so if they focus on individuals who interest
them, the problem becomes smaller.
If the individual in question encrypts only high-value messages, and
doesn't bother encrypting everything else, like grocery lists, birthday
greetings, and all their mundane day-to-day communication, then it's easy
for the NSA to target their high-value messages and get good results.
On the other
True, but not unsurmountable. Depends on the recipient.
Additionally with public key encryption you are using the recipient's
public key to encrypt.
The real issue is determining who and what to monitor.
On 08/13/2013 04:54 PM, John Abreau wrote:
If the individual in question encrypts only
John Abreau wrote:
Nope, sorry, each individual message has its own unique session key.
Cracking the session key on one particular message tells you nothing
about the session key on subsequent messages.
If I decrypt the message by breaking the session key then yes, I can
only decrypt that one
John Abreau wrote:
On the other hand, if the individual routinely encrypts *everything*, and
if the metadata does not clearly identify which messages are of interest,
then it becomes much harder.
You have a routine. You suddenly start encrypting everything. If I
compare your pre-everything
From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss-
bounces+blu=nedharvey@blu.org] On Behalf Of John Abreau
On the other hand, if the individual routinely encrypts *everything*, and
if the metadata does not clearly identify which messages are of interest,
then it becomes
Daniel Barrett wrote:
In the absence of the 4096-bit private half of my key, how hard is it
to decrypt the session key by brute force and thereby decrypt file
Foo? Do the time arguments from this KeePass discussion apply?
That depends on the symmetric cipher used. CAST-128 (aka CAST5)
Greg Rundlett wrote:
A quick search through my KeePassX database and my login for Ubuntu
forums was cryptographically strong, and (for me) unique to that website.
*Every* login I have is unique. I have a simple tool (KeePassX) to mind
them all. And I have Dropbox to share the (encrypted)
Tom Metro wrote:
A password safe could use strong encryption to protect the keys used by
the one-time authentication algorithm. Ideally, you'd want to have the
option to have that info encrypted using a different password than the
one protecting your passwords.
Try this little thought
Richard Pieri wrote:
Try this little thought experiment. Take all of the passwords that you
use on a daily basis. Put them into KeePass or whatever...
Now, for one entire day, every time you need a password you MUST use
the the [safe] to retrieve it.
But that would be silly. Security is
On Tue, Jul 23, 2013 at 08:11:44PM -0400, Richard Pieri wrote:
Tom Metro wrote:
A password safe could use strong encryption to protect the keys used by
the one-time authentication algorithm. Ideally, you'd want to have the
option to have that info encrypted using a different password than the
On 7/23/2013 10:43 PM, Tom Metro wrote:
(It seems most hack attempts we hear about lately have been against
fairly inconsequential
sites, where the hackers must be primarily after validated email
addresses, and hoping
users have reused passwords on multiple sites.)
They are primarily after
Chuck Anderson suggested:
for low value passwords like web forums, just
let the browser remember them.
I haven't let a browser remember passwords since the time I noticed that I
could retrieve (another person's) passwords by sitting at their browser and
invoking Settings - Advanced Settings -
On Tue, Jul 23, 2013 at 08:05:18PM -0700, Rich Braun wrote:
I haven't let a browser remember passwords since the time I noticed that I
could retrieve (another person's) passwords by sitting at their browser and
invoking Settings - Advanced Settings - Manage Advanced Passwords - (look
at each
On 7/24/2013 12:05 AM, Ben Eisenbraun wrote:
On Tue, Jul 23, 2013 at 11:16:06PM -0400, Bill Horne wrote:
Since my password isn't in a dictionary, and doesn't contain any common
substitutions that would allow for guessing, I'm not concerned about the
breach.
Dictionary attacks are kind of...
On Tue, Jul 23, 2013 at 11:16:06PM -0400, Bill Horne wrote:
Since my password isn't in a dictionary, and doesn't contain any common
substitutions that would allow for guessing, I'm not concerned about the
breach.
Dictionary attacks are kind of... passe. It's all password lists culled
from
On 07/23/2013 11:16 PM, Bill Horne wrote:
the hashes allow a Dictionary attack, where they just run every word
in the dictionary through a hash function, and see what matches.
It depends. Unsalted hashes are vulnerable to dictionary attacks with
rainbow tables. But the right (non-Microsoft)
On 07/23/2013 06:29 PM, Tom Metro wrote:
Good idea, if 1. you have an old phone to dedicate to this, and 2. you
don't mind carrying around a phone that is otherwise useless. (I
suppose you might be able to make emergency calls on it.)
I actually bought a new phone from geekbuying.com. Cost
On 07/24/2013 09:56 AM, Edward Ned Harvey (blu) wrote:
I am a great fan of BioWallet. You sign the screen with your finger. Your
name, a random word, whatever. It works best for handwritten words, and doesn't work so
well for geometric shapes, drawings, patterns. It performs bioinformatic
Chuck Anderson wrote:
Why? Who says you aren't allowed to remember the ones you most
I say it. It's my thought experiment and I deliberately chose a
restrictive set of rules for it.
--
Rich P.
___
Discuss mailing list
Discuss@blu.org
On 07/24/2013 01:40 PM, Rich Braun wrote:
most people have just plain given up trying to follow best-practices
The whole term best practices annoys me. It is so much like a school
yard taunt: MY practices are better that yours! No they are not! Mine
are Best Practices.
(Who the hell signs
Rich P wrote:
You
personally can remember your commonly-used passwords. Can you honestly
and truthfully say that about every person in the world? No, you can't.
The rules of the experiment are there to put you in the position of
someone who can't remember their commonly used passwords, never
I keep my passwords, all of which are distinct, in a password
protected libreoffice doc. Been working just fine. But then again
I'm not being chased around the globe like Ed S. I would suggest this
to folks who don't have serious security concerns. Heck everybody
knows how to use an office doc
Rich Braun wrote:
Knowing all this, and knowing that most people have just plain given up trying
to follow best-practices, I've been recommending LastPass.com to my
non-technical friends: but their service isn't free on mobile phones so I'm
looking for a new recommendation.
A piece of paper, a
On 7/24/2013 4:18 PM, Richard Pieri wrote:
Because writing down passwords itself isn't a bad practice. It's
writing them down and putting the paper near the things being
protected that's a bad practice. I certainly don't leave the key to my
front door hanging from the knob outside. It goes
Bill Horne wrote:
Schneier once put a picture of a SecureID token on his website: it was
on a live-camera feed from an undisclosed location. He said that the
funny thing was that, as long as the device's serial number wasn't
disclosed, the thing was still secure.
Well, yeah. The codes the
68 matches
Mail list logo
