Re: [cryptography] Ripple a.k.a. OpenCoin

[Taral]

So someone pointed out to me that using x+g^y for keygen avoids
certain timing attacks on the process. So at least that is no longer
odd. Truncated sha512 is odd but not wrong, although it seems odd to
use both sha256 and truncated sha512 in the same application. I'm
going to assume it's for extensibility in case they decide to go to a
512-bit curve.

I'll keep digging. More discussion is welcome.

- JP

On Tue, Jun 25, 2013 at 6:00 PM, Clark Minor  wrote:
> Ok, I took your comment about only looking at Ripple for two hours to mean
> you weren't aware of the master / secondary key system, and thought I would
> point you in the right direction. Then again, I suppose just creating a
> Ripple wallet exposes the user to this system, so most people should be
> aware of it. I'm guessing you've also ready through
> https://ripple.com/wiki/Account_Family and your questions still persist, so
> I'm just not clear on your specific points of confusion.
>
>
> On Tue, Jun 25, 2013 at 7:11 PM, Taral  wrote:
>>
>> On Tue, Jun 25, 2013 at 5:08 PM, Clark Minor  wrote:
>> > Why use secp256k1 and ripemd160 (I think that's what you mean by "odd
>> > hash")? I think the main reason is just that Ripple was influenced by
>> > Bitcoin, and Bitcoin uses both.
>>
>> No, the odd hash is truncated sha512. ripemd160 hasn't shown up yet,
>> and if it does I will be even more suspicious because that means
>> they're using THREE different hashes.
>>
>> > Why add a random value to the end and use it as a secret? Ripple does
>> > this
>> > to support protection against compromised accounts. A user gives their
>> > account a name and a password for daily use, but Ripple also generates a
>> > "master key" that can be used to recover the entire thing.
>>
>> No, the master / secondary key thing is set via a protocol message.
>> This is the key derivation algorithm for the master key only. And it's
>> very weird.
>>
>>
>> > And here's an explanation from David Schwartz, who is in charge of
>> > Ripple's
>> > crypto:
>> >
>> > http://bitcoin.stackexchange.com/questions/10220/what-is-the-relationship-between-the-ripple-secret-key-and-the-wallet-name-passp/10224#10224
>>
>> That's about the payvault/local blob storage system for storing the
>> secret. Nothing to do with this.
>>
>> --
>> Taral 
>> "Please let me know if there's any further trouble I can give you."
>> -- Unknown
>
>



-- 
Taral 
"Please let me know if there's any further trouble I can give you."
-- Unknown
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Ripple a.k.a. OpenCoin

[Clark Minor]

Ok, I took your comment about only looking at Ripple for two hours to mean
you weren't aware of the master / secondary key system, and thought I would
point you in the right direction. Then again, I suppose just creating a
Ripple wallet exposes the user to this system, so most people should be
aware of it. I'm guessing you've also ready through
https://ripple.com/wiki/Account_Family and your questions still persist, so
I'm just not clear on your specific points of confusion.


On Tue, Jun 25, 2013 at 7:11 PM, Taral  wrote:

> On Tue, Jun 25, 2013 at 5:08 PM, Clark Minor  wrote:
> > Why use secp256k1 and ripemd160 (I think that's what you mean by "odd
> > hash")? I think the main reason is just that Ripple was influenced by
> > Bitcoin, and Bitcoin uses both.
>
> No, the odd hash is truncated sha512. ripemd160 hasn't shown up yet,
> and if it does I will be even more suspicious because that means
> they're using THREE different hashes.
>
> > Why add a random value to the end and use it as a secret? Ripple does
> this
> > to support protection against compromised accounts. A user gives their
> > account a name and a password for daily use, but Ripple also generates a
> > "master key" that can be used to recover the entire thing.
>
> No, the master / secondary key thing is set via a protocol message.
> This is the key derivation algorithm for the master key only. And it's
> very weird.
>
>
> > And here's an explanation from David Schwartz, who is in charge of
> Ripple's
> > crypto:
> >
> http://bitcoin.stackexchange.com/questions/10220/what-is-the-relationship-between-the-ripple-secret-key-and-the-wallet-name-passp/10224#10224
>
> That's about the payvault/local blob storage system for storing the
> secret. Nothing to do with this.
>
> --
> Taral 
> "Please let me know if there's any further trouble I can give you."
> -- Unknown
>
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Ripple a.k.a. OpenCoin

[rippleCN]

secp256k1 and ripemd160 are just copied from bitcoin. Nothing weird if you
are familiar with bitcoin.

Basically bitcoin introduced this "base58check" for generating an address.
E.g. the base point of
secp256k1, 0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,
corresponds to the address 1BgGZ9tcN4rm9KBzDn7KprQz87SZ26SAMH. Keywords
here are "base 58", "version byte", "payload" and a 4 bytes "check" at the
end.

I'm not suspicious about this part at all. Basically they just reused some
of bitcoin's code.

There are some changes for ripple address. The code_string for base 58 is
"rpshnaf39wBUDNEGHJKLM4PQRST7VWXYZ2bcdeCg65jkm8oFqi1tuvAxyz" instead of
bitcoin's "123456789...xyz". See
encodings and
account family .

The seed is just a random 128 bits. Nothing special. To encode that as a
secret key you just do base58check with version byte = '\x21' and payload =
16 bytes.

test vector:
seed in hex: 4423C39186B629BFE8247BD6E6E84D0D
"secret_key": sseMtQSGEqTG3edPjzUGB9AG7LxwB
Account_ID: rEPjVe3aZbJZPB5BbCyAm65dNfirugt4mx

The generation of key pair is the weird part. The actual private key one
uses to sign a transaction is computed from the seed. Seed ---> private
genarator ---> priv_key.

def key_pair(seed):
seq_bytes = b'\x00\x00\x00\x00'
seed_seq  = seed + seq_bytes
priv_gen  = sha512half(seed_seq)
pub_gen_b = pub_key_point(priv_gen).as_key()
sub_seq   = b'\x00\x00\x00\x00'
seed_sseq = pub_gen_b + seq_bytes + sub_seq
step3 = sha512half(seed_sseq)
priv_key  = (step3 + priv_gen) % group_order
pub_key_b = pub_key_point(priv_key).as_key()
return priv_key, pub_key_b

The sequence bytes and subsequence bytes are not quite interesting right
now. Presumably in the future this will allow a seed to generate multiple
key pairs. The address is just... Err, the base58check, of the ripemd160
hash, of the sha256, of the public key.

Once you get the priv_key you can use it to sign transactions. The one you
sign needs to be in binary format ,
properly ordered.

I don't see anything suspicious here. If you sign your own transaction you
just push it to the network (e.g. via the RPC API) and it's done. To
completely sign a tx offline you need to know the sequence of your account
though. (This is not the sequence byte when generating private key, it's
the sequence in account_info.)

On Tue, Jun 25, 2013 at 5:11 PM, Taral  wrote:

> On Tue, Jun 25, 2013 at 5:08 PM, Clark Minor  wrote:
> > Why use secp256k1 and ripemd160 (I think that's what you mean by "odd
> > hash")? I think the main reason is just that Ripple was influenced by
> > Bitcoin, and Bitcoin uses both.
>
> No, the odd hash is truncated sha512. ripemd160 hasn't shown up yet,
> and if it does I will be even more suspicious because that means
> they're using THREE different hashes.
>
> > Why add a random value to the end and use it as a secret? Ripple does
> this
> > to support protection against compromised accounts. A user gives their
> > account a name and a password for daily use, but Ripple also generates a
> > "master key" that can be used to recover the entire thing.
>
> No, the master / secondary key thing is set via a protocol message.
> This is the key derivation algorithm for the master key only. And it's
> very weird.
>
>
> > And here's an explanation from David Schwartz, who is in charge of
> Ripple's
> > crypto:
> >
> http://bitcoin.stackexchange.com/questions/10220/what-is-the-relationship-between-the-ripple-secret-key-and-the-wallet-name-passp/10224#10224
>
> That's about the payvault/local blob storage system for storing the
> secret. Nothing to do with this.
>
> --
> Taral 
> "Please let me know if there's any further trouble I can give you."
> -- Unknown
>
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Ripple a.k.a. OpenCoin

[Clark Minor]

I've been looking at Ripple for a few months now, and also found their
crypto confusing at first. It seems strange because it's complex. However,
I don't think it's complex because it's wrong, but rather because it's well
thought out.

Why use secp256k1 and ripemd160 (I think that's what you mean by "odd
hash")? I think the main reason is just that Ripple was influenced by
Bitcoin, and Bitcoin uses both.

Why add a random value to the end and use it as a secret? Ripple does this
to support protection against compromised accounts. A user gives their
account a name and a password for daily use, but Ripple also generates a
"master key" that can be used to recover the entire thing.

There are some more details on their wiki:
https://ripple.com/wiki/Master_Key

And here's an explanation from David Schwartz, who is in charge of Ripple's
crypto:
http://bitcoin.stackexchange.com/questions/10220/what-is-the-relationship-between-the-ripple-secret-key-and-the-wallet-name-passp/10224#10224

-Clark



On Tue, Jun 25, 2013 at 6:27 PM, Taral  wrote:

> It's just weird. Can aynone explain why they generate an x, compute
> g^x, then add a random value to that and use it as a secret? Why the
> odd hash? Why secp256k1 instead of a faster system like ed25519? All
> of these things make me worry.
>
> Well-designed systems use crypto consistently and with clear
> direction. Ripple does neither of these.
>
> On Tue, Jun 25, 2013 at 3:47 PM, Yuhao Huang  wrote:
> > What exactly do you worry about?
> >
> > I'm starting a ripple-related business and have studied ripple
> intensively.
> > (I also get access to rippled, the back-end program that validates
> > transactions.) Here are my understanding:
> >
> > The key generation process starts with a random 128-bit seed and
> generates
> > private key for ECDSA (curve is like bitcoin, secp256k1). This might look
> > silly but after all discrete logarithm on a 256-bit curve only provides
> > 128-bit security. (I haven't read the js source code, so I'm not sure if
> > there is any vulnerability there.)
> >
> > Presumably this will allow one seed to unlock multiple address in the
> future
> > (say take seq bytes \x00\x00\x00\x00, \x00\x00\x00\x01, \x00\x00\x00\x02
> ...
> > and similarly for the subseq bytes). This is, hopefully, a feature which
> > adds some anonymity.
> >
> > They also use a weird hash. (First half of sha512.) The only reason I can
> > think of is they expect computing first half of sha512 is harder than
> > sha256. With some hard work this could be false.
> >
> > On Mon, Jun 24, 2013 at 5:40 PM, Taral  wrote:
> >>
> >> Has anyone taken a close look at this? I took a short (2 hour) look
> >> and I worry. The key generation algorithm[1] makes me want to cry...
> >> :(
> >>
> >> [1]
> https://github.com/ripple/ripple-lib/blob/master/src/js/ripple/seed.js
> >> (get_key)
> >>
> >> --
> >> Taral 
> >> "Please let me know if there's any further trouble I can give you."
> >> -- Unknown
> >> ___
> >> cryptography mailing list
> >> cryptography@randombit.net
> >> http://lists.randombit.net/mailman/listinfo/cryptography
> >
> >
>
>
>
> --
> Taral 
> "Please let me know if there's any further trouble I can give you."
> -- Unknown
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Ripple a.k.a. OpenCoin

[Taral]

On Tue, Jun 25, 2013 at 5:08 PM, Clark Minor  wrote:
> Why use secp256k1 and ripemd160 (I think that's what you mean by "odd
> hash")? I think the main reason is just that Ripple was influenced by
> Bitcoin, and Bitcoin uses both.

No, the odd hash is truncated sha512. ripemd160 hasn't shown up yet,
and if it does I will be even more suspicious because that means
they're using THREE different hashes.

> Why add a random value to the end and use it as a secret? Ripple does this
> to support protection against compromised accounts. A user gives their
> account a name and a password for daily use, but Ripple also generates a
> "master key" that can be used to recover the entire thing.

No, the master / secondary key thing is set via a protocol message.
This is the key derivation algorithm for the master key only. And it's
very weird.


> And here's an explanation from David Schwartz, who is in charge of Ripple's
> crypto:
> http://bitcoin.stackexchange.com/questions/10220/what-is-the-relationship-between-the-ripple-secret-key-and-the-wallet-name-passp/10224#10224

That's about the payvault/local blob storage system for storing the
secret. Nothing to do with this.

--
Taral 
"Please let me know if there's any further trouble I can give you."
-- Unknown
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Ripple a.k.a. OpenCoin

[Taral]

It's just weird. Can aynone explain why they generate an x, compute
g^x, then add a random value to that and use it as a secret? Why the
odd hash? Why secp256k1 instead of a faster system like ed25519? All
of these things make me worry.

Well-designed systems use crypto consistently and with clear
direction. Ripple does neither of these.

On Tue, Jun 25, 2013 at 3:47 PM, Yuhao Huang  wrote:
> What exactly do you worry about?
>
> I'm starting a ripple-related business and have studied ripple intensively.
> (I also get access to rippled, the back-end program that validates
> transactions.) Here are my understanding:
>
> The key generation process starts with a random 128-bit seed and generates
> private key for ECDSA (curve is like bitcoin, secp256k1). This might look
> silly but after all discrete logarithm on a 256-bit curve only provides
> 128-bit security. (I haven't read the js source code, so I'm not sure if
> there is any vulnerability there.)
>
> Presumably this will allow one seed to unlock multiple address in the future
> (say take seq bytes \x00\x00\x00\x00, \x00\x00\x00\x01, \x00\x00\x00\x02 ...
> and similarly for the subseq bytes). This is, hopefully, a feature which
> adds some anonymity.
>
> They also use a weird hash. (First half of sha512.) The only reason I can
> think of is they expect computing first half of sha512 is harder than
> sha256. With some hard work this could be false.
>
> On Mon, Jun 24, 2013 at 5:40 PM, Taral  wrote:
>>
>> Has anyone taken a close look at this? I took a short (2 hour) look
>> and I worry. The key generation algorithm[1] makes me want to cry...
>> :(
>>
>> [1] https://github.com/ripple/ripple-lib/blob/master/src/js/ripple/seed.js
>> (get_key)
>>
>> --
>> Taral 
>> "Please let me know if there's any further trouble I can give you."
>> -- Unknown
>> ___
>> cryptography mailing list
>> cryptography@randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography
>
>



--
Taral 
"Please let me know if there's any further trouble I can give you."
-- Unknown
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Snowden: Fabricating Digital Keys?

[Peter Gutmann]

Bill Scannell  writes:

>"Last week NSA Director Keith Alexander told the House Permanent Select
>Committee on Intelligence that Snowden was able to access files inside the
>NSA by fabricating digital keys that gave him access to areas he was not
>allowed to visit as a low-level contractor and systems administrator. "
>
>How would one fabricate a digital key?

He used his root access to get into other people's accounts.

(Running a fake CA? You people are really over-thinking these things :-).

Peter.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Ripple a.k.a. OpenCoin

[Yuhao Huang]

What exactly do you worry about?

I'm starting a ripple-related business and have studied ripple intensively.
(I also get access to rippled, the back-end program that validates
transactions.) Here are my understanding:

The key generation process starts with a random 128-bit seed and generates
private key for ECDSA (curve is like bitcoin, secp256k1). This might look
silly but after all discrete logarithm on a 256-bit curve only provides
128-bit security. (I haven't read the js source code, so I'm not sure if
there is any vulnerability there.)

Presumably this will allow one seed to unlock multiple address in the
future (say take seq bytes \x00\x00\x00\x00, \x00\x00\x00\x01,
\x00\x00\x00\x02 ... and similarly for the subseq bytes). This is,
hopefully, a feature which adds some anonymity.

They also use a weird hash. (First half of sha512.) The only reason I can
think of is they expect computing first half of sha512 is harder than
sha256. With some hard work this could be false.

On Mon, Jun 24, 2013 at 5:40 PM, Taral  wrote:

> Has anyone taken a close look at this? I took a short (2 hour) look
> and I worry. The key generation algorithm[1] makes me want to cry...
> :(
>
> [1] https://github.com/ripple/ripple-lib/blob/master/src/js/ripple/seed.js
> (get_key)
>
> --
> Taral 
> "Please let me know if there's any further trouble I can give you."
> -- Unknown
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Snowden: Fabricating Digital Keys?

[Jeffrey Walton]

On Tue, Jun 25, 2013 at 5:47 PM, Mark Seiden  wrote:
> maybe he just used other people's ssh keys that were protected by a weak (or 
> no) passphrase?
>
> "fabricate" is a pretty strong word, but under the "least untruthful" 
> standard that James Clapper says he's applied to
> congressional testimony, there are numerous interpretive possibilities.
What's more likely is there were little/no/improper access controls
(Bradley Manning FTW!), and the the government is "fabricating" the
claim.

Jeff

> On Jun 25, 2013, at 2:32 PM, Natanael  wrote:
>
>> That depends on the system. Consider how HDCP encryption was broken;
>>
>> https://en.wikipedia.org/wiki/High-bandwidth_Digital_Content_Protection
>>
>> It used a scheme where access to enough keys allowed you to calculate the 
>> master key, breaking the entire scheme.
>>
>>
>> 2013/6/25 Bill Scannell 
>> This Daily Beast story on Causa Snowden 
>> (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html)
>>  contains the following sentence:
>>
>> "Last week NSA Director Keith Alexander told the House Permanent Select 
>> Committee on Intelligence that Snowden was able to access files inside the 
>> NSA by fabricating digital keys that gave him access to areas he was not 
>> allowed to visit as a low-level contractor and systems administrator. "
>>
>> How would one fabricate a digital key?
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Snowden: Fabricating Digital Keys?

[Thor Lancelot Simon]

On Tue, Jun 25, 2013 at 05:17:04PM -0400, Bill Scannell wrote:
> This Daily Beast story on Causa Snowden 
> (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html)
>  contains the following sentence: 
> 
> "Last week NSA Director Keith Alexander told the House Permanent Select 
> Committee on Intelligence that Snowden was able to access files inside the 
> NSA by fabricating digital keys that gave him access to areas he was not 
> allowed to visit as a low-level contractor and systems administrator. "
> 
> How would one fabricate a digital key?

Presumably using administrative access to the machinery of a certificate
authority or a signing system for security assertions.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Snowden: Fabricating Digital Keys?

[Mark Seiden]

maybe he just used other people's ssh keys that were protected by a weak (or 
no) passphrase?

"fabricate" is a pretty strong word, but under the "least untruthful" standard 
that James Clapper says he's applied to
congressional testimony, there are numerous interpretive possibilities.

On Jun 25, 2013, at 2:32 PM, Natanael  wrote:

> That depends on the system. Consider how HDCP encryption was broken;
> 
> https://en.wikipedia.org/wiki/High-bandwidth_Digital_Content_Protection
> 
> It used a scheme where access to enough keys allowed you to calculate the 
> master key, breaking the entire scheme.
> 
> 
> 2013/6/25 Bill Scannell 
> This Daily Beast story on Causa Snowden 
> (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html)
>  contains the following sentence:
> 
> "Last week NSA Director Keith Alexander told the House Permanent Select 
> Committee on Intelligence that Snowden was able to access files inside the 
> NSA by fabricating digital keys that gave him access to areas he was not 
> allowed to visit as a low-level contractor and systems administrator. "
> 
> How would one fabricate a digital key?
> 
> 
> -Bill
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
> 
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Snowden: Fabricating Digital Keys?

[Bill Scannell]

On Jun 25, 2013, at 5:38 PM, Thor Lancelot Simon wrote:

> On Tue, Jun 25, 2013 at 05:17:04PM -0400, Bill Scannell wrote:
>> This Daily Beast story on Causa Snowden 
>> (http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html)
>>  contains the following sentence: 
>> 
>> "Last week NSA Director Keith Alexander told the House Permanent Select 
>> Committee on Intelligence that Snowden was able to access files inside the 
>> NSA by fabricating digital keys that gave him access to areas he was not 
>> allowed to visit as a low-level contractor and systems administrator. "
>> 
>> How would one fabricate a digital key?
> 
> Presumably using administrative access to the machinery of a certificate
> authority or a signing system for security assertions.
> 

That makes sense.  I figured that the easiest way would be through the CA.  
While I understand the NSA paradox in that the lower one is in their 
organization, the more one knows, what puzzles me is how or why a random 
low-level contractor would have root CA access, assuming that was the case.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Snowden: Fabricating Digital Keys?

[Natanael]

That depends on the system. Consider how HDCP encryption was broken;

https://en.wikipedia.org/wiki/High-bandwidth_Digital_Content_Protection

It used a scheme where access to enough keys allowed you to calculate the
master key, breaking the entire scheme.


2013/6/25 Bill Scannell 

> This Daily Beast story on Causa Snowden (
> http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html)
> contains the following sentence:
>
> "Last week NSA Director Keith Alexander told the House Permanent Select
> Committee on Intelligence that Snowden was able to access files inside the
> NSA by fabricating digital keys that gave him access to areas he was not
> allowed to visit as a low-level contractor and systems administrator. "
>
> How would one fabricate a digital key?
>
>
> -Bill
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Snowden: Fabricating Digital Keys?

[Bill Scannell]

This Daily Beast story on Causa Snowden 
(http://www.thedailybeast.com/articles/2013/06/25/greenwald-snowden-s-files-are-out-there-if-anything-happens-to-him.html)
 contains the following sentence: 

"Last week NSA Director Keith Alexander told the House Permanent Select 
Committee on Intelligence that Snowden was able to access files inside the NSA 
by fabricating digital keys that gave him access to areas he was not allowed to 
visit as a low-level contractor and systems administrator. "

How would one fabricate a digital key?


-Bill
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Information-theoretic cryptography for the masses

[Oleksandr Nikitin]

On 2013-06-25 16:25, Tom Ritter wrote:
> From a high level view this looks like it provides similar features as
> OTR + OTR's SMP.  Which works pretty well.
Thanks. Couple of points I worry about:
- Does the KS actually provide reasonable entropy? How can one measure
whether it really performs as advertised? When to terminate the
protocol? And so on. We still are "at least as good as RSA", though.
- Alice and Bob mutually depend on the quality of each others' one-time
RSA keys. Can this be somehow helped?

> 
> Well, actually, I have to say it works 'okay' because in practice I
> have to run SMP a couple of times with my partner until we hit upon
> the identical punctuation, capitalization, and question to which we
> both have the same unambiguous answer.
Yeah, it can be pretty annoying but I currently don't know of a better
mutual auth protocol :( Could be helped with a bit of "text
normalization" applied by both parties' software, I guess.

> 
> -tom
> 




smime.p7s
Description: S/MIME Cryptographic Signature
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Information-theoretic cryptography for the masses

[Tom Ritter]

>From a high level view this looks like it provides similar features as
OTR + OTR's SMP.  Which works pretty well.

Well, actually, I have to say it works 'okay' because in practice I
have to run SMP a couple of times with my partner until we hit upon
the identical punctuation, capitalization, and question to which we
both have the same unambiguous answer.

-tom
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography