Passwords? We don't need no stinking passwords

[R.A. Hettinga]

The Register


 Biting the hand that feeds IT

The Register » Security » Network Security »

 Original URL: http://www.theregister.co.uk/2005/02/16/rsa_consumer_survey/

Passwords? We don't need no stinking passwords
By John Leyden (john.leyden at theregister.co.uk)
Published Wednesday 16th February 2005 01:41 GMT

RSA 2005 Concerns over online security are continuing to slow consumer
e-commerce growth. A quarter of the respondents in a recent survey have
reduced their online purchases in the past year and 21 per cent refuse to
conduct business with their financial institutions online because of
security fears. More than half (53 per cent) of the 1,000 consumers quizzed
believe that basic passwords fail to provide sufficient protection for
sensitive personal information.

According to the RSA Security-sponsored telephone survey, poor management
of PINs and passwords for access to online services, desktop computer
systems, ATMs and other electronic accounts is a major vulnerability. As a
major supplier of two-factor authentication products and services that
offer an alternative to traditional static passwords, the issues raised by
RSA Security's survey are more than a little self-serving. That doesn't
mean its analysis is necessarily wrong, though. More and more security
experts are lining up against the use of static passwords for e-banking; in
part because the technique makes consumers easy prey for phishers. Even so,
obituaries for the humble password may be premature.

Adi Shamir, professor at Israel's Weizmann Institute of Science and noted
cryptographer, said: "Passwords are not completely dead. For low level
security apps they are still sufficiently good. It depends on the
application".

One PIN to rule them all

More than two in three respondents (65 per cent) quizzed in RSA Security's
survey use fewer than five passwords for all electronic information access
and 15 percent use a single password for everything. These figures are
unchanged from a similar survey last year.

John Worrall, VP of worldwide marketing at RSA Security, said: "The
majority of consumers are aware of the problems associated with passwords,
but until they are presented with a reliable, easy-to-use alternative,
they're going to continue to exhibit poor password management practices." ®


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: SHA-1 cracked

[Alexandre Dulaunoy]

On Tue, 15 Feb 2005, Steven M. Bellovin wrote:

> According to Bruce Schneier's blog 
> (http://www.schneier.com/blog/archives/2005/02/sha1_broken.html), a 
> team has found collisions in full SHA-1.  It's probably not a practical 
> threat today, since it takes 2^69 operations to do it and we haven't 
> heard claims that NSA et al. have built massively parallel hash 
> function collision finders, but it's an impressive achievement 
> nevertheless -- especially since it comes just a week after NIST stated 
> that there were no successful attacks on SHA-1.

and what  about HMAC-SHA1 ? Is  it reducing the  operation required by
the same factor  or as the structure of HMAC is  so different that the
attack is very unlikely to be practical ?

-- 
--   Alexandre Dulaunoy (adulau) -- http://www.foo.be/
-- http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD
-- "Knowledge can create problems, it is not through ignorance
--that we can solve them" Isaac Asimov


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: SHA-1 cracked

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Alexandre
 Dulaunoy writes:
>On Tue, 15 Feb 2005, Steven M. Bellovin wrote:
>
>> According to Bruce Schneier's blog 
>> (http://www.schneier.com/blog/archives/2005/02/sha1_broken.html), a 
>> team has found collisions in full SHA-1.  It's probably not a practical 
>> threat today, since it takes 2^69 operations to do it and we haven't 
>> heard claims that NSA et al. have built massively parallel hash 
>> function collision finders, but it's an impressive achievement 
>> nevertheless -- especially since it comes just a week after NIST stated 
>> that there were no successful attacks on SHA-1.
>
>and what  about HMAC-SHA1 ? Is  it reducing the  operation required by
>the same factor  or as the structure of HMAC is  so different that the
>attack is very unlikely to be practical ?
>

As the blog entry mentions, it's it's unlikely that SHA-1 is affected.

That said, the attack merits close attention; as Schneier has noted in 
other contexts, attacks always get better, never worse.

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: That's gratitude for ya...

[Marcel Popescu]

> From: [EMAIL PROTECTED] [mailto:owner-
> [EMAIL PROTECTED] On Behalf Of Rich Salz

> The other day I sent Amir Herzberg a private note saying I thought his
> new tool was pretty neat, and though I'm sure he's heard it a lot,
> thanks.  He said nope, nobody else has said it, and I was stunned.

My apologies. I've been using Amir's tool since he posted the link, but I
haven't thought of sending a "thank you" note :(

Amir, I also think it's neat. :)

Marcel


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.8 - Release Date: 2/14/2005
 


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: SHA-1 cracked

[John Kelsey]

>From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
>Sent: Feb 15, 2005 11:29 PM
>To: cryptography@metzdowd.com
>Subject: SHA-1 cracked

>According to Bruce Schneier's blog 
>(http://www.schneier.com/blog/archives/2005/02/sha1_broken.html), a 
>team has found collisions in full SHA-1.  It's probably not a practical 
>threat today, since it takes 2^69 operations to do it and we haven't 
>heard claims that NSA et al. have built massively parallel hash 
>function collision finders, but it's an impressive achievement 
>nevertheless -- especially since it comes just a week after NIST stated 
>that there were no successful attacks on SHA-1.

Well, there *weren't* any a week ago

>   --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb

--John Kelsey


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: [IP] SHA-1 cracked?

[Ben Laurie]

David Farber wrote:
-- Forwarded Message
From: Rodney Joffe <[EMAIL PROTECTED]>
Date: Wed, 16 Feb 2005 07:36:36 -0700
To: Dave Farber <[EMAIL PROTECTED]>
Subject: SHA-1 cracked?
For IP
Hi Dave,
Bruce Schneier is reporting in his blog that SHA-1 appears to have been
broken by a Chinese group, and that is has collisions "in the the full SHA-1
in 2**69 hash operations, much less than the brute-force attack of 2**80
operations based on the hash length.".
This could have non-trivial implications for many current commercial
operations.
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
A work factor of 2^69 is still a serious amount of work. At a thousand 
million trials a second, that's still well over 17 years. I doubt you 
can get anything like that speed without _serious_ expenditure. For 
reference, a middling PC can do around 200k single block SHA-1's a 
second. So, multiply that by 5 million to get it down to 17 years, 
assuming all you have to do is hash.

Of course, we don't have the details yet, but this is not the sky 
falling on our heads (yet).

Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[EMAIL PROTECTED]: CARDIS'2006 Call for Papers]

[R. Hirschfeld]

From: Josep Domingo <[EMAIL PROTECTED]>
Subject: CARDIS'2006 Call for Papers  
To: Josep Domingo <[EMAIL PROTECTED]>
Date: Wed, 16 Feb 2005 18:29:37 +0100 (MET)


Apologies for cross-posting. Please disseminate to potential
contributors.

=== 

***   CFP CARDIS 2006 + CFP CARDIS 2006 + CFP CARDIS 2006 + CFP***
- --

CARDIS'06 - Tarragona, Catalonia, SpainApril 19-21, 2006

The 7th Smart Card Research and Advanced Application IFIP Conference, 
organized by IFIP Working Groups WG 8.8 and WG 11.2 
and sponsored by IEEE Spain Section, will be held in 
Tarragona, Catalonia, Spain, April 19-21, 2006.
Since 1994, CARDIS is the foremost international conference dedicated 
to Smart Card research and application. Every two years the scientific 
community congregates to present new ideas and to discuss recent 
developments. Also 2006, thirty eight years after Jürgen Dethloff and 
Helmut Grötrupp filed their idea of incorporating an integrated 
circuit in an identification card, CARDIS'06 will bring together 
leading researchers and practitioners in the development and 
deployment of state of the art Smart Card technologies.
The fast evolutionary process in the field of Information Security 
requires an adequate means to represent the human in the process of 
human-machine interaction. Smart Cards, or, by extension, smart 
devices with their processing power and their direct correlation to 
the user are considered to be the first choice. In rather young and 
new realms, such as Pervasive Computing, smart cards and devices face 
new challenges. Today, the capabilities of smart cards and devices 
with their highly advanced specialized security features reach far 
beyond. They are the basis for many secure systems and play a decisive 
role in ID management. Established computer science areas, like 
hardware design, operating systems, modeling systems, cryptography or 
distributed systems have adapted to this fast growing technology and 
yield new application ranges and investigate emerging challenges for 
these domains. 
Unlike events devoted to commercial and application aspects of Smart 
Cards, CARDIS conferences gather researchers and technologists who are 
focused in all aspects of the design, development, deployment, 
validation and application of Smart Cards or smart personal devices.

- --
 Conference Scope
- --

The program committee seeks papers describing the design, development, 
application, and validation of Smart Card technologies. Submissions 
across a broad range of Smart Card development phases are encouraged, 
from exploratory research and proof-of-concept studies to practical 
application and deployment of Smart Card technology.

Topics of interest include, but are not limited to:

* Smart Device, Person Representation and Ambient Intelligence
* Smart Device, Identity, Privacy and Trust
* Smart Card (Smart Device) and Applications in the Internet, WLAN, 
  DRM, ...
* Smart Card and Smart Device software (OS, VM, API)
* High-level data model and management (On-card data sharing schemes)
* (Distributed) Application development and deployment
* From Smart Card to Smart Device (hardware, form factor, display)
* Biometrics and Smart Cards
* High-speed, small-footprint encryption
* Cryptographic protocols for Smart Cards (and Smart Devices)
* Attacks and countermeasures in hardware and software
* Hardware, software and service (application) validation and 
  certification
* Formal Modeling
* Security of RFID systems
* Interplay of TPMs and Smartcards

- -
 Important Dates
- -

Abstract submission   9 October 2005
Full Paper submission16 October 2005
Notification to authors  30 November 2005
Camera-ready 15 January 2006
Conference   19-21 April 2006

- ---
 Instructions for Paper Submission
- ---

Submitted papers should represent novel contributions related to 
the topics listed above. They must be original, unpublished, and 
not submitted to another conference or journal for consideration 
of publication. Papers must be written in English; they should not 
exceed 16 pages in total. When appropriate, authors should arrange 
for a release for publication from their employer prior to 
submission.
Papers accompanied by non-disclosure agreement forms will not be 
accepted. Accepted papers will be presented at the conference and 
published in the proceedings, which will appear in Springer's 
Lecture Notes in Computer Science and will be available at the 
conference. At least one author of each accepted paper is required 
to register with the conference and present the paper. Abstracts 
and papers must be submitted in electronic form using the conference 
tool setup for this conference (see submission section on 
www.cardis.org). To submit a paper

'SS Jimma: The American Mystery Sub

[R.A. Hettinga]

Code-named "Killer Rabbit"...

Cheers,
RAH
--



StrategyPage.com

February 16, 2005

SUBMARINES: The American Mystery Sub


January 14, 2005: The USS Jimmy Carter (SSN 23),  a modified Seawolf-class
submarine, is used for missions the navy does not like to talk about. The
Carter displaces 12,151 tons submerged, is 100 feet longer than a baseline
Seawolf (453 feet compared to 353 feet). She is also slightly slower than a
baseline Seawolf (61.1 kilometers per hour compared to 64.8 for the
baseline Seawolf), and carries the same armament (eight 30-inch torpedo
tubes with fifty weapons).

 The Jimmy Carter, though, was not designed  for combat patrols. She is
officially a testbed, much like the Los Angeles-class submarine USS
Memphis. However, her real role is to eventually replace the Sturgeon-class
submarine USS Parche, which was taken out of service in October, 2004. The
USS Parche also has a 100-foot long extension - although that was installed
during a refit that lasted from 1987-1991. The Navy is very reluctant to
give out details about the Jimmy Carter, and she is often placed in a
covered drydock (to keep her away from prying eyes in space as well as on
the ground). This is not surprising. The methods and sources of
intelligence are protected very closely by the intelligence community, and
the Jimmy Carter is going to be one of the prime sources of intelligence.

 The Jimmy Carter is capable of carrying 50 special operations personnel,
but her primary mission will be intelligence gathering. The Navy doesn't
talk much about the intelligence-gathering missions it has carried out in
the past, or currently. One of the missions Parche carried out was the
maintenance of taps on undersea phone lines between the Russian naval bases
of Petropavalosk and Vladivostok (the famous "Ivy Bells" mission). Other
missions involved electronic intelligence. Submarines are ideal for this
mission - they can often supplement coverage by aircraft and satellites.
This supplementary coverage it vital. Aircraft can be detected and have
limited range and satellites have predictable orbits. Dummy transmissions
can be used to throw them off. Submarines, on the other hand, are
unpredictable things - particularly nuclear-powered submarines. There is no
way to know a submarine is thereŠ unless it either chooses to reveal its
presence (usually through the creation of a flaming datum) or something
goes wrong (a collision - like which happened with the USS Tautog).
Submarines often get data on new naval units - often shadowing them and
collecting "hull shots" (pictures of the hull of a ship or submarine) and a
very good idea of the ship's acoustic signature (for future identification).

 In time of war, the Jimmy Carter will provide support for various
missions, like raids by SEALs and other special operations units. Often,
these groups will split up for missions, which could run the gamut of raids
or advising partisans, or a single large mission could be carried out.
Often, their delivery will be by the Advanced SEAL Delivery System,
supported in a Dry Dock Shelter. She will also have additional command and
control facilities, and storage for additional munitions and fuel.

 You will not hear much about what the Jimmy Carter does if the United
States Navy has its way. The submarines are called the Silent Service. This
is doubly true for those submarines like Jimmy Carter and Parche - which
engage in intelligence gathering. Their successes remain secret - failures
will probably make the press. 


 
Seawolf
 Jimmy Carter
Parche

Length (feet)
 353
453
401.5

Displ. (tons)
 9,137
12,151
7,800

Speed (km/h)
 61.1
64.8
46.3

Crew
 130
 130+
 50 SF 179+

Torpedo tubes
8 30"
8 30"
4 21"

Weapons
50
50
23

 


 Comparison of special operations subs Jimmy Carter and Parche. Seawolf 
 included for comparison to Carter.- Harold C. Hutchison
([EMAIL PROTECTED])




-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: SHA-1 cracked

[Dan Kaminsky]

It is worth emphasizing that, as a 2^69 attack, we're not going to be
getting test vectors out of Wang.  After all, if she had 2^69
computation available, she wouldn't have needed to attack MD5; she could
have just brute forced it in 2^64.

This means the various attacks in the MD5 Someday paper aren't going to
cross over to SHA-1, i.e. don't expect these anytime soon for SHA-1.

http://www.doxpara.com/t1.html
http://www.doxpara.com/t2.html

--Dan

Steven M. Bellovin wrote:

>According to Bruce Schneier's blog 
>(http://www.schneier.com/blog/archives/2005/02/sha1_broken.html), a 
>team has found collisions in full SHA-1.  It's probably not a practical 
>threat today, since it takes 2^69 operations to do it and we haven't 
>heard claims that NSA et al. have built massively parallel hash 
>function collision finders, but it's an impressive achievement 
>nevertheless -- especially since it comes just a week after NIST stated 
>that there were no successful attacks on SHA-1.
>
>   --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>
>
>
>-
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
>  
>


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: That's gratitude for ya...

[Peter Gutmann]

Rich Salz <[EMAIL PROTECTED]> writes:

>Why would mozilla embed this?  If they came here, to the putative experts,
>for an evaluation, they'd leave thinking Amir and company just invented
>Rot-13.  It's not that.  It's also not perfect.  BFD -- you got anything
>better?

This ties in to one of my favourite articles on security usability, "Good-
Enough Security: Toward a Pragmatic Business-Driven Discipline", Ravi Sandhu,
IEEE Internet Computing, Vol.5, No.3 (January/February 2003), p.66, or
http://www.list.gmu.edu/journals/ic/03-sandhu-good.pdf if you don't get the
print version.  This contains observations like:

  How many security engineers would it take to design a system for ATM
  security today? I don't think it could be done. We would be debating
  biometric-enabled smartcards, assurance, protection profiles, denial of
  service, non-repudiation, viruses and buffer-overflow attacks till we were
  blue in the face. There is no way that such a system with "good enough"
  security could be designed and built today on the basis of conventional
  security wisdom. Yet it happened. And it works.

The author offers three design principles for good-enough security:

  1. Good enough is good enough.
  2. Good enough always beats perfect.
  3. The really hard part is determining what is good enough.

I think Trustbar does a pretty good job of getting (3) right.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Digital Water Marks Thieves

[Matt Crawford]

On Feb 15, 2005, at 12:40, R.A. Hettinga wrote:
Instant, is a property-marking fluid that, when
brushed on items like office equipment or motorcycles, tags them with
millions of tiny fragments, each etched with a unique SIN (SmartWater
identification number) that is registered with the owner's details on a
national police database and is invisible until illuminated by police
officers using ultraviolet light.
That's amazing!  How do the tiny particles know that it's not a 
civilian illuminating them with ultraviolet light?

And how does Wired reporter Robert Andrews fail to ask that question?
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: SHA-1 cracked

[Joseph Ashwood]

- Original Message - 
From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
Subject: SHA-1 cracked

It's probably not a practical
threat today, since it takes 2^69 operations to do it
I will argue that the threat is realizable today, and highly practical. It 
is well documented that in 1998 RSA Security's DES Challenge II was broken 
in 72 hours by $250,000 worth of custom machine. Scale this forward to 
today, and $500,000 worth of custom equipment and 2^69 is not out of reach 
for 3 days worth of work. So assuming that your attackers are smallish 
businesses, you have 3 days of security, and large businesses with a vested 
interest in breaking your security you are looking at minutes if not seconds 
before break.

While most uses of SHA-1 actually end up searching for collisions against 
fixed outputs (e.g. given A find B such that A<>B and SHA1(A) == SHA1(B)), 
this attack does not immediately cause the collapse of all e-commerce

This attack means that we need to begin the process for a quick and painless 
retirement of SHA-1 in favor of SHA-256/384/512 in the immediate future and 
begin further preparations to move to Whirlpool and other hashes in the near 
future. I say this because with MD5 completely broken, SHA-0 effectively 
completely broken, and SHA-1 showing big cracks, the entire SHA series is in 
doubt, and needs to be heavily reconsidered, otherwise we're looking at a 
continuing failure of hash functions apparently in a yearly fashion until we 
run out of the SHA series.
   Joe

Trust Laboratories
Changing Software Development
http://www.trustlaboratories.com 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

ATM machine security

[Lee Parkes]

Hi,
I'm working on a project that requires a benchmark against which to judge
various suppliers. The closest that has similar requirements is the ATM 
industry. To this end I'm looking for any papers, specifications or published 
attacks against ATM machines and their infrastructure. I'm also looking for what
type of networks they use and the crypto they use to protect comms.
Also any standards would be good that the ATM industry has to adhere to.


Thanks,
Lee

-- 
--
[EMAIL PROTECTED] DOC #25 GLASS #136
I Need A Reason To Stand Up And Fight
Need To Believe What I See - The Silver Drop - Mnemic

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: SHA1 broken?

[Dave Howe]

Joseph Ashwood wrote:
 > I believe you are incorrect in this statement. It is a matter of public
record that RSA Security's DES Challenge II was broken in 72 hours by 
$250,000 worth of semi-custom machine, for the sake of solidity let's 
assume they used 2^55 work to break it. Now moving to a completely 
custom design, bumping up the cost to $500,000, and moving forward 7 
years, delivers ~2^70 work in 72 hours (give or take a couple orders of 
magnitude). This puts the 2^69 work well within the realm of realizable 
breaks, assuming your attackers are smallish businesses, and if your 
attackers are large businesses with substantial resources the break can 
be assumed in minutes if not seconds.

2^69 is completely breakable.
   Joe
  Its fine assuming that moore's law will hold forever, but without 
that you can't really extrapolate a future tech curve. with *todays* 
technology, you would have to spend an appreciable fraction of the 
national budget to get a one-per-year "break", not that anything that 
has been hashed with sha-1 can be considered breakable (but that would 
allow you to (for example) forge a digital signature given an example)
  This of course assumes that the "break" doesn't match the criteria 
from the previous breaks by the same team - ie, that you *can* create a 
collision, but you have little or no control over the plaintext for the 
colliding elements - there is no way to know as the paper hasn't been 
published yet.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: SHA-1 cracked

[Ian G]

Steven M. Bellovin wrote:
According to Bruce Schneier's blog 
(http://www.schneier.com/blog/archives/2005/02/sha1_broken.html), a 
team has found collisions in full SHA-1.  It's probably not a practical 
threat today, since it takes 2^69 operations to do it and we haven't 
heard claims that NSA et al. have built massively parallel hash 
function collision finders, but it's an impressive achievement 
nevertheless -- especially since it comes just a week after NIST stated 
that there were no successful attacks on SHA-1.
 

Stefan Brands just posted on my blog (and I saw
reference to this in other blogs, posted anon)
saying that "it seems that Schneier forgot to
mention that the paper has a footnote which
says that the attack on full SHA-1 only works
if some padding (which SHA-1 requires) is not
done."
http://www.financialcryptography.com/mt/archives/000355.html
I think this might be an opportune time to introduce a
new way of looking at algorithms.  I've written it up
in draft (excuse the postit notes) :
http://iang.org/papers/pareto_secure.html
In short, what I do is apply the concepts of the econ
theory of "Pareto efficiency" to the metric of security.
This allows a definition of what we mean by "secure"
which is quite close to colloquial usage;  in the
language so introduced, I'd suggest that SHA-1 used
to be Pareto-complete, and is now Pareto-secure for
certain applications.  I have a little table down
the end that now needs to be updated!
Comments welcome, it is not a long nor mathematical
paper!  Some small consolation for those not at the
RSA conference.
iang
--
News and views on what matters in finance+crypto:
   http://financialcryptography.com/
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]