Re: [cryptography] US Appeals Court upholds right not to decrypt a drive
On 02/24/2012 12:14 PM, Steven Bellovin wrote: http://volokh.com/2012/02/23/eleventh-circuit-finds-fifth-amendment-right-against-self-incrimination-not-to-decrypt-encyrpted-computer/ It's worth noting that some kind folks from the EFF gave a fascinating talk at the recent Shmoocon which dealt with this issue specifically. It was before the ruling but they gave a lot of contextual information and, IIRC, even some background on this case as it was pending. Marcia Hofmann and Jerome Radcliffe - Encryption, Passwords, and Data Security http://www.shmoocon.org/2012/videos/HofmannRadcliffe-EncyptionAndDataSecurity.m4v - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] US Appeals Court upholds right not to decrypt a drive
On Feb 24, 2012, at 5:43 PM, James A. Donald wrote: > Truecrypt supports an inner and outer encrypted volume, encryption hidden > inside encryption, the intended usage being that you reveal the outer > encrypted volume, and refuse to admit the existence of the inner hidden > volume. > > To summarize the judgment: Plausibile deniability, or even not very > plausible deniability, means you don't have to produce the key for the inner > volume. The government first has to *prove* that the inner volume exists, > and contains something hot. Only then can it demand the key for the inner > volume. > > Defendant revealed, or forensics discovered, the outer volume, which was > completely empty. (Bad idea - you should have something there for plausible > deniability, such as legal but mildly embarrassing pornography, and a > complete operating system for managing your private business documents, > protected by a password that forensics can crack with a dictionary attack) > > Forensics felt that with FIVE TERABYTES of seemingly empty truecrypt drives, > there had to be an inner volume, but a strong odor of rat is no substitute > for proof. > > (Does there exist FIVE TERABYTES of child pornography in the entire world?) > > Despite forensics suspicions, no one, except the defendant, knows whether > there is an inner volume or not, and so the Judge invoked the following > precedent. > > http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf > > That producing the key is protected if "conceding the existence, possession, > and control of the documents tended to incriminate" the defendant. > > The Judge concluded that in order to compel production of the key, the > government has to first prove that specific identified documents exist, and > are in the possession and control of the defendant, for example the > government would have to prove that the encrypted inner volume existed, was > controlled by the defendant, and that he had stored on it a movie called > "Lolita does LA", which the police department wanted to watch. There is no such thing as plausible deniability in a legal context. Plausible deniability is a term that comes from conspiracy theorists (and like many things contains a kernel of truth) to describe a political technique where everyone knows what happened but the people who did it just assert that it can't be proven, along with a wink and a nudge. But to get to the specifics here, I've spoken to law enforcement and border control people in a country that is not the US, who told me that yeah, they know all about TrueCrypt and their assumption is that *everyone* who has TrueCrypt has a hidden volume and if they find TrueCrypt they just get straight to getting the second password. They said, "We know about that trick, and we're not stupid." I asked them about the case where someone has TrueCrypt but doesn't have a hidden volume, what would happen to someone doesn't have one? Their response was, "Why would you do a dumb thing like that? The whole point of TrueCrypt is to have a hidden volume, and I suppose if you don't have one, you'll be sitting in a room by yourself for a long time. We're not *stupid*." Jon ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Fwd: (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"
From: "John Levine" >The definitive work on financial bubbles is Kindleberger's "Manias, >Panics, and Crashes: A History of Financial Crises." Get the 2005 5th >edition, which was edited by Robert Solow after Kindleberger died. I really shouldn't continue this OT thread any longer, but I'll note that all financial panics have a common theme: Some people get rich selling snake oil to latecomers jumping on the bandwagon. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"
>Then you'll find out about Santayana's curse - those that don't study >history are doomed to repeat it. For reference, start with read John >MacKay, _Extraordinary Popular Delusions and the Madness of Crowds_. MacKay turns out not to be all that accurate. The definitive work on financial bubbles is Kindleberger's "Manias, Panics, and Crashes: A History of Financial Crises." Get the 2005 5th edition, which was edited by Robert Solow after Kindleberger died. It's quite readable, and should help put Bitcoin in context. -- Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] US Appeals Court upholds right not to decrypt a drive
> Surely the core of the ruling is that no one except the > defendant knows for sure whether the key exists, knows > whether there is an inner truecrypt volume or not. The cross > examination of the forensics witness focused on that point. On 2012-02-25 1:25 PM, d...@geer.org wrote: One must assume that this nicety does not apply to border crossings (Customs inspection) where access to anything and everything is stare decisis. If they knew the inner drive existed, they could insist on access to it. But they can only suspect. They can have access to the drive. They can have access to the encrypted drive on the unencrypted drive. They may *speculate* that there is an inner encrypted drive, but the only way they can find out that it exists is to ask me to incriminate myself. That the customs can have access to everything physical that crosses the border is stare decisis - but it is a big jump that they have access to your state of mind. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Bitcoin in endgame
On 2012-02-25 5:49 AM, Thor Lancelot Simon wrote: Is the major purpose of this mailing list really the discussion of political and social theory? Nine tenths of cryptography is the threat model - as the failure of SSL demonstrates. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"
On 2012-02-25 12:53 PM, ianG wrote: > It is also a singular lesson in the emotive power of cryptography to > encourage large numbers of people to hash their intelligent thought > processes. What we are seeing is otherwise rational people invest much > time & effort into what amounts to a ponzi or bubble or pyramid scheme. As Moldbug says, money is a bubble that never deflates. Fact is, you can buy stuff today with Bitcoin. Its value is not in that people hope that tomorrow they can exchange it for more, but that today they can exchange it for something. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Bitcoin in endgame
On Sat, Feb 25, 2012 at 05:08:44AM +1000, James A. Donald wrote: The paper presupposes that criminals are such horrible people that everything they touch turns to shit. Not an un-wrong one-line summary of the paper. On 25/02/12 06:49 AM, Thor Lancelot Simon wrote: Is the major purpose of this mailing list really the discussion of political and social theory? I thought I had subscribed to cryptography@randombit.net, not "I already spent four years doing political science, thanks." Well it may appear that way. In this particular area though you might want to cut James some slack - he spent many years building Internet cryptographic payment systems. He actually does know what they do and how they work. And how they don't, and how they interact with users of distinct classes. Unlike the bitarazzi, who just hope the libertarian dream never ends, and unlike the banker apologists who just assume that the agreed & received wisdom of central banking will work if we just try harder. Presenting how the economy works in less than one paragraph does raise difficulties for us all :) iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] US Appeals Court upholds right not to decrypt a drive
> Surely the core of the ruling is that no one except the > defendant knows for sure whether the key exists, knows > whether there is an inner truecrypt volume or not. The cross > examination of the forensics witness focused on that point. One must assume that this nicety does not apply to border crossings (Customs inspection) where access to anything and everything is stare decisis. And, of course, any Court could order the duplication of the visible part of the volume(s) in question, thus to provide the defendant with those. If there is no inner redoubt, then the defendant has been deprived of nothing. One could even make the copy to a cloud rather than a physical device should an identical make and model of drive not be lying about. If I ran the zoo, I'd be automating that right now. --dan ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] (off-topic) Bitcoin is a repeated lesson in cryptography applications - was "endgame"
I changed the title so those only interested in pure crypto can delete and move on. On 25/02/12 04:24 AM, lodewijk andré de la porte wrote: This was an offtopic discussion from the start. The original paper does not include anything about crypto. Yeah, except Bitcoin is a cryptographic construct from the get-go. It is a singular lesson in what happens when cryptographers dabble outside their particular expertise - in this case, monetary architecture. I.e., some very smart cryptographer thought he had solved the 'gold' problem with a cryptographic construct. But alchemy has a longer history than he realises. It is also a singular lesson in the emotive power of cryptography to encourage large numbers of people to hash their intelligent thought processes. What we are seeing is otherwise rational people invest much time & effort into what amounts to a ponzi or bubble or pyramid scheme. Many people are being hurt by this, and more to come. Same or similar thing happened with PKI, digital signatures, Digicash, SSL, e-gold, etc... I suggest it is professionally important for serious cryptography people to follow this story and try to understand what goes wrong. Or right. One day, you might be asked to design something like this. Then you'll be involved. Then you'll find out about Santayana's curse - those that don't study history are doomed to repeat it. For reference, start with read John MacKay, _Extraordinary Popular Delusions and the Madness of Crowds_. Published in 1841. Anyway, the problem you mention is exactly the one described in the paper. "Using Mancur Olsen's rationale that a prince is a bandit that stops roving, the notion of the mining franchise being captured by the botnets might have been an acceptable compromise to the economy growing up around bitcoin mining, if it went no further [Olsen]. However, criminals are rarely satiated. Several things happen: (a) incentives for easy money naturally cause an increase in criminal participation at all levels, such as direct theft of bitcoins. This increase across the board encourages (b) honest users to pack up and leave. Both of these effects combine to create rising criminality, and (c) at some stage the Feds get involved. Finally, (d) the system collapses." So "criminals" exist and they want to make money (which they already could but now they want more). Now something happens that summons an unbeatable* nemesis/third party and everything goes to hell. Nice line or reasoning. Very certain, unbiased, etc. Funny thing is that everyone believes them because they can use LaTeX, put references (to websites, most of which are bullocks themselves) and call it a paper. It's just another rambling about something that could but really won't happen. Don't forget to put things into perspective. Perspective ... there's a funny word. Here's mine, from the e-gold experience and others [*]. What happened to e-gold was this: it worked, it boomed. It was structured fairly well to avoid the obvious attacks. It was good. It was very cheap for users - around 0.5% transaction fees. And payments were final. Which happened to work for an "arbitrage" class of customer variously known as real-time games, ponzis and pyramids. This is e-gold's "porn video" story, if you remember the 1980s. The problem with these games was that (a) they were making a lot of money and doing a lot of transactions, (b) they were taking a lot of money from people who wanted to play, (c) which latter would then turn around and complain to "authorities" and (d) the games were more or less illegal in some sense or other. Each of those points by themselves was challengable and acceptable and mitigatable at some level. Together however the result was as laid out in that paper. At some point something happened and /the feds/ or the nemesis got interested. Endgame. The weaknesses that brought down the e-gold story were two-fold [$]. Firstly the management had a certain belief set that led them to charge on and not take pause - to not respond to emerging developments (in a way that Paypal were able to do for example). They did not respond so well to the games. Secondly, the exchange network. Although highly diversified, independent and robust as a system, each exchanger had to be somewhere and had to have relationships with the primary banking system. This made them vulnerable to a single phone call. And so it happened - phone calls were made, exchange relationships were dropped. Most of the exchangers had perpetual trouble opening and losing bank accounts. Eventually most dropped out or were raided or had their funds seized or, etc etc. This second weakness exists with Bitcoin. The bigger the exchangers get the more vulnerable they get, hence the exchange network has scalability problems at the nodal level. To get a taste of what this is abou
Re: [cryptography] US Appeals Court upholds right not to decrypt a drive
On 2012-02-25 7:28 AM, Steven Bellovin wrote: > The first point, not addressed in your note but quite > important to the ruling, is that the key has to be > something you know, not something you have. If the keying > material is on a smart card, you have to turn that over and > you're not protected. If a PIN plus smart card is needed, > you still have to turn over the smart card but not disclose > the PIN. Surely the core of the ruling is that no one except the defendant knows for sure whether the key exists, knows whether there is an inner truecrypt volume or not. The cross examination of the forensics witness focused on that point. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] US Appeals Court upholds right not to decrypt a drive
On 2012-02-25 7:28 AM, Steven Bellovin wrote: The first point, not addressed in your note but quite important to the ruling, is that the key has to be something you know, not something you have. If the keying material is on a smart card, you have to turn that over and you're not protected. If a PIN plus smart card is needed, you still have to turn over the smart card but not disclose the PIN. Surely the core of the ruling is that no one except the defendant knows for sure whether the key exists, knows whether there is an inner truecrypt volume or not. The cross examination of the forensics witness focused on that point. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] US Appeals Court upholds right not to decrypt a drive
Truecrypt supports an inner and outer encrypted volume, encryption hidden inside encryption, the intended usage being that you reveal the outer encrypted volume, and refuse to admit the existence of the inner hidden volume. To summarize the judgment: Plausibile deniability, or even not very plausible deniability, means you don't have to produce the key for the inner volume. The government first has to *prove* that the inner volume exists, and contains something hot. Only then can it demand the key for the inner volume. Defendant revealed, or forensics discovered, the outer volume, which was completely empty. (Bad idea - you should have something there for plausible deniability, such as legal but mildly embarrassing pornography, and a complete operating system for managing your private business documents, protected by a password that forensics can crack with a dictionary attack) Forensics felt that with FIVE TERABYTES of seemingly empty truecrypt drives, there had to be an inner volume, but a strong odor of rat is no substitute for proof. (Does there exist FIVE TERABYTES of child pornography in the entire world?) Despite forensics suspicions, no one, except the defendant, knows whether there is an inner volume or not, and so the Judge invoked the following precedent. http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf That producing the key is protected if "conceding the existence, possession, and control of the documents tended to incriminate" the defendant. The Judge concluded that in order to compel production of the key, the government has to first prove that specific identified documents exist, and are in the possession and control of the defendant, for example the government would have to prove that the encrypted inner volume existed, was controlled by the defendant, and that he had stored on it a movie called "Lolita does LA", which the police department wanted to watch. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] US Appeals Court upholds right not to decrypt a drive
On Feb 24, 2012, at 2:30 57PM, James A. Donald wrote: > Bottom line is that the suspect was OK because kept his mouth zippered, > neither admitting nor denying any knowledge of the encrypted partition. > > Had he admitted control of the partition, *then* they would have been able to > compel production of the key. > > The court did not concede any right to refuse to decrypt a drive if you admit > possession of the contents. > > So: Don't talk to police about the contents of your drive, or indeed > anything of which they might potentially disapprove. No, I don't think that that's quite what the ruling said. It's a long, complex opinion; what you said is close to one aspect of it, but not (in my non-lawyer opinion) precisely what the court said. The first point, not addressed in your note but quite important to the ruling, is that the key has to be something you know, not something you have. If the keying material is on a smart card, you have to turn that over and you're not protected. If a PIN plus smart card is needed, you still have to turn over the smart card but not disclose the PIN. Second, and going to the heart of your point, what's essential is whether or not they already know in reasonable detail what's on the encrypted drive; depending on the circumstances, they may already have that knowledge regardless of what you've said. The issue of admitting possession is not what this case focused on; in fact, the prosecution tried to finesse that point by granting limited immunity on that point. Quoting from the opinion: 'The U.S. Attorney requested that the court grant Doe immunity limited to “the use [of Doe’s] act of production of the unencrypted contents” of the hard drives. That is, Doe’s immunity would not extend to the Government’s derivative use of contents of the drives as evidence against him in a criminal prosecution. The court accepted the U.S. Attorney’s position regarding the scope of the immunity to give Doe and granted the requested order. The order “convey[ed] immunity for the act of production of the unencrypted drives, but [did] not convey immunity regarding the United States’ [derivative] use” of the decrypted contents of the drives.' In other words, the fact of control of the encrypted data -- aka knowledge of the key -- was not at issue; the prosecution had agreed not to use that. What was important was the files on the drive. This is what distinguishes this case from Boucher (a case discussed in the opinion). The other current case is Fricosu, where a trial judge has ordered her to decrypt her laptop. The Court of Appeals for that circuit -- the 10th; the opinion I cited is from the 11th, and hence not binding on this court -- declined to hear her appeal, not on the merits but because as a matter of procedure they won't intervene at this point in a trial. If she's convicted, she can appeal on the grounds that her Fifth Amendment rights were violated, but not until then. It's worth noting that the trial judge made his ruling on the same basis as the 11th Circuit Court of Appeals: did the government have enough prior knowledge of the contents that her rights were not infringed? An appellate court may find that he didn't rule correctly on that point, or it may decline to adopt the 11th Circuit's reasoning -- but the fundamental legal reasoning is the same; what's different is the facts of the case. (Btw, Fricosu did not talk to the police; however, she made injudicious statements to her husband in a monitored jailhouse call...) --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Bitcoin in endgame
On Feb 24, 2012, at 11:49 AM, Thor Lancelot Simon wrote: > Is the major purpose of this mailing list really the discussion of > political and social theory? I thought I had subscribed to > cryptography@randombit.net, not "I already spent four years doing > political science, thanks." +1. Although it is nice to discover that I'm not the only person on the list who did four years doing political science. :-) --Paul Hoffman ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Bitcoin in endgame
On 02/24/2012 01:49 PM, Thor Lancelot Simon wrote: Is the major purpose of this mailing list really the discussion of political and social theory? I thought I had subscribed to cryptography@randombit.net, not "I already spent four years doing political science, thanks." It is apparently different things to different people. Mailing list rules can make it just what *you* want it to be. :-) - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] US Appeals Court upholds right not to decrypt a drive
On Sat, 25 Feb 2012 05:30:57 +1000 "James A. Donald" wrote: > So: Don't talk to police about the contents of your drive, or indeed > anything of which they might potentially disapprove. I believe that you meant to say, "Don't talk to the police at all," which should be standard policy for anyone who finds themselves under arrest. There is no advantage in talking to the police once you have been arrested, nothing you say will help in your defense and you are not going to talk your way out of an arrest. The odds are stacked against you during a police interview -- you are talking to people who have been trained to extract confessions, who are being paid to sit there interrogating you, and who will pick through what you say to find incriminating statements. Stay quiet, speak only to your attorney, and let your attorney speak on your behalf; you cannot be penalized for exercising your rights, nor can the fact that you refused to speak be introduced as evidence against you (at least in the United States). -- Ben -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu KK4FJZ -- "If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them." - George Orwell signature.asc Description: PGP signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Bitcoin in endgame
On Sat, Feb 25, 2012 at 05:08:44AM +1000, James A. Donald wrote: > If the users of bitcoin are primarily criminals, that is pretty much > what the founders intended. Every middle class man of affairs and > business commits three felonies a day. > > The paper presupposes that criminals are such horrible people that > everything they touch turns to shit. > > My experience is that ordinary unorganized criminals are anti social > and need killing, but that organized crime is pretty good, or at > least not nearly so bad police and regulatory authorities. Is the major purpose of this mailing list really the discussion of political and social theory? I thought I had subscribed to cryptography@randombit.net, not "I already spent four years doing political science, thanks." Thor ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Bitcoin in endgame
If the users of bitcoin are primarily criminals, that is pretty much what the founders intended. Every middle class man of affairs and business commits three felonies a day. The paper presupposes that criminals are such horrible people that everything they touch turns to shit. My experience is that ordinary unorganized criminals are anti social and need killing, but that organized crime is pretty good, or at least not nearly so bad police and regulatory authorities. The converse of Olson's theory is that when a stationary bandit becomes too incompetent and corrupt, due to organizational decay and diseconomies of scale, to pursue his rational best interest, mobile bandits are a relief. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] US Appeals Court upholds right not to decrypt a drive
wow deja vu: http://www.mail-archive.com/fde@www.xml-dev.com/msg00623.html ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] US Appeals Court upholds right not to decrypt a drive
Bottom line is that the suspect was OK because kept his mouth zippered, neither admitting nor denying any knowledge of the encrypted partition. Had he admitted control of the partition, *then* they would have been able to compel production of the key. The court did not concede any right to refuse to decrypt a drive if you admit possession of the contents. So: Don't talk to police about the contents of your drive, or indeed anything of which they might potentially disapprove. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] US Appeals Court upholds right not to decrypt a drive
http://volokh.com/2012/02/23/eleventh-circuit-finds-fifth-amendment-right-against-self-incrimination-not-to-decrypt-encyrpted-computer/ --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Bitcoin in endgame
2012/2/23 Moritz Bartl > On 23.02.2012 10:24, Eugen Leitl wrote: > > In general so far I fail to see the validity of most criticisms > > against BitCoin. So far I see the only real problem is government > > crackdown on exchanges, which only makes BTC free-floating > > and slows down the growth of the underlying economy. > > > > Sorry if this is off-topic to cryptography. We can take the > > thread offlist at any time. > > This was an offtopic discussion from the start. The original paper does > not include anything about crypto. > > Anyway, the problem you mention is exactly the one described in the paper. > > "Using Mancur Olsen's rationale that a prince is a bandit that stops > roving, the notion of the mining franchise being captured by the botnets > might have been an acceptable compromise to the economy growing up > around bitcoin mining, if it went no further [Olsen]. However, > criminals are rarely satiated. Several things happen: (a) incentives > for easy money naturally cause an increase in criminal participation at > all levels, such as direct theft of bitcoins. This increase across the > board encourages (b) honest users to pack up and leave. Both of these > effects combine to create rising criminality, and (c) at some stage the > Feds get involved. Finally, (d) the system collapses." So "criminals" exist and they want to make money (which they already could but now they want more). Now something happens that summons an unbeatable* nemesis/third party and everything goes to hell. Nice line or reasoning. Very certain, unbiased, etc. Funny thing is that everyone believes them because they can use LaTeX, put references (to websites, most of which are bullocks themselves) and call it a paper. It's just another rambling about something that could but really won't happen. Don't forget to put things into perspective. *can't really beat anything, they can only make it crime-exclusive. (you make it illegal and only those that don't care about the law can use it.) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Duplicate primes in lots of RSA moduli
On 22/02/12 13:31 PM, Kevin W. Wall wrote: So, let's bring this back to cryptography. I'm going to assume that virtually all of you are a somewhat altruistic and are not in this game just to make a boatload of money by keeping all the crypto knowledge within the secret priesthood thereby driving your own salaries up. ! idk, sounds like a challengeable assumption. For starters, I would urge those of you who are not involved in the open source movement to step up and help out with things like OpenSSL, OpenSSH, cryptographic libraries (in languages *other* than C/C++), etc. Personally, I would *more* than welcome someone here stepping forward and volunteering to head up the crypto effort in OWASP ESAPI. Even though some people from the NSA have reviewed it, I'm paranoid enough to think that it's what they are NOT telling me that is wrong is what is worrying me. I know many of you have already contributed (I won't attempt to name names because I'd probably unintentionally leave a few of you out and offend them), but not nearly enough. Most of you who regularly post to this mailing have commented on how you've seen some of the same beginner crypto failures over and over, so how about starting with jus a simple crypto HowTo FAQ, maybe an OWASP crypto cheat sheat. I suspect most of the people here would prefer to be paid for this. I know I would. (One of the reasons I never coded for Mozilla was that my company would have had a conflict in time. Helping them with their policies however was not seen as a conflict.) Just personal observations. 1) They think that key size is the paramount thing; the bigger the better. NIST are the current baddies here. 2) The have no clue as to what cipher modes are. It's ECB by default. 3) More importantly, they don't know how to choose a cipher mode (not surprising, given #2). They need to understand the trade-offs. 4) They have no idea about how to generate keys, derived keys, IVs, 5) They don't know what padding is, or when/why to use it. 6) They have a very naive concept of entropy...where/when to use it and from where and how to obtain it. Yes, crypto seems to be in layers. Block algorithms. Modes, and implications. The rest. The game is to push more of it back down to "algorithms". iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography