Re: [cryptography] 100 Gbps line rate encryption

[Peter Gutmann]

Matthew Green  writes:

>In summary, don't use RC4. Don't use it carelessly with IVs. And don't use
>RC4.

The first rule of RC4 club is...

Peter.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] New Bletchley Park and Ethics of Cyber Warfare

[John Young]

http://cryptome.org/2013/07/bletchley-cyberwar-ethics.htm


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

[Jeffrey Walton]

On Tue, Jul 16, 2013 at 5:04 AM, coderman  wrote:
>...
>
> in short:
>
> rather than considering just one or another type of attack, these
> agencies should be assumed to be using all of them with the exploit
> method tailored to the particular access needs and target difficulty
> of every tasking.
>From "In his own words: Confessions of a cyber warrior"
(http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-66),
page 3:


Grimes [Interviewer]: How many exploits does your unit have access to?

Cyber warrior: Literally tens of thousands -- it's more than that. We
have tens of thousands of ready-to-use bugs in single applications,
single operating systems.

Grimes [Interviewer]: Is most of it zero-days?

Cyber warrior: It's all zero-days. Literally, if you can name the
software or the controller, we have ways to exploit it. There is no
software that isn't easily crackable. In the last few years, every
publicly known and patched bug makes almost no impact on us. They
aren't scratching the surface.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Message

[coderman]

On Tue, Jul 16, 2013 at 10:27 AM, John Young  wrote:
> -BEGIN PGP MESSAGE-
> ...
> -END PGP MESSAGE-


you know you can use openssl for symmetric encryption, right John?

;)



[NSA can neither confirm nor deny it received your message...]
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Message

[Tony Arcieri]

Cool message bro


On Tue, Jul 16, 2013 at 10:27 AM, John Young  wrote:

> -BEGIN PGP MESSAGE-
> Version: PGP Desktop 9.6.3 (Build 3017)
>
> qANQR1DDDQQJAwIXvi8KsWclFpDScQ**E+4jMr/**vUA6S04zV34wNYWizM9us1RAST3
> sBEzlFcdRswogIGk52rTgpSi1gPQiO**OcHWLWxmbf4NENBkiW1SEtv1qEAG87**L+Ir
> kLJbnxerzrQiRNbH06h6EwNzNDMvL8**/yjFdHaaf5P/JSR7JvHDys
> =C7n+
> -END PGP MESSAGE-
>
>
> __**_
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/**mailman/listinfo/cryptography
>



-- 
Tony Arcieri
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Message

[John Young]

-BEGIN PGP MESSAGE-
Version: PGP Desktop 9.6.3 (Build 3017)

qANQR1DDDQQJAwIXvi8KsWclFpDScQE+4jMr/vUA6S04zV34wNYWizM9us1RAST3
sBEzlFcdRswogIGk52rTgpSi1gPQiOOcHWLWxmbf4NENBkiW1SEtv1qEAG87L+Ir
kLJbnxerzrQiRNbH06h6EwNzNDMvL8/yjFdHaaf5P/JSR7JvHDys
=C7n+
-END PGP MESSAGE-


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] 100 Gbps line rate encryption

[Matthew Green]

The use of RC4 should be avoided even with the drop-N due to biases that occur 
later in the key stream. You should also be extremely careful about mixing IVs 
with the key. At a minimum you ought to use a modern cryptographic hash 
function -- there's no evidence that repeating key setup is sufficient to 
prevent correlations. 

http://www.isg.rhul.ac.uk/tls/RC4biases.pdf

In summary, don't use RC4. Don't use it carelessly with IVs. And don't use RC4. 

Consider using Salsa20 instead. 

Matt

On Jul 16, 2013, at 10:43 AM, Thor Lancelot Simon  wrote:

> On Tue, Jul 16, 2013 at 03:23:01AM -0400, William Allen Simpson wrote:
>> On 6/22/13 8:24 PM, Greg Rose wrote:
>>> 
>>> On Jun 22, 2013, at 15:31 , James A. Donald  wrote:
>>> 
 On 2013-06-23 6:47 AM, Peter Maxwell wrote:
> I think Bernstein's Salsa20 is faster and significantly more secure than 
> RC4, whether you'll be able to design hardware to run at line-speed is 
> somewhat more questionable though (would be interested to know if it's 
> possible right enough).
 
 I would be surprised if it is faster.
>>> 
>>> Be surprised, then... almost all of the recent word- or block- oriented 
>>> stream ciphers are faster than RC4. And NOTHING should still be using RC4; 
>>> by today's standards it is quite insecure.
>> So I spent some (much too much) time reading old PPP archives on our
>> earlier discussions selecting an algorithm.  Sadly, 3DES was chosen,
>> but rarely implemented.
>> 
>> I cobbled together a draft based on old discussion for ARC4.  It
>> surely needs more work.  Although (as you mention) that's old stuff,
>> it has the advantage of having running code in most existing systems,
>> and could be rolled out quickly on high speed connections.
>> 
>> http://tools.ietf.org/html/draft-simpson-ppp-arc4-00
> 
> If you're really going to publish a new RFC -- even an Experimental
> one -- using RC4, you should really use RC4-drop-N.  For even moderately
> sized packets and reasonable values of N, if you effectively rekey every
> packet, you will end up wasting 25-50% of the throughput of the system.
> 
> Conclusion: RC4 is particularly poorly suited for this application
> in the modern day.
> 
> Thor
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] 100 Gbps line rate encryption

[Sandy Harris]

William Allen Simpson  wrote:

> A quick question: what are our current options for 100 Gbps
> line rate encryption?
>
> Are we still using variants of ARC4?

The European Union's Estream contest gave two small
portfolios of ciphers, four for software implementation
and three for hardware. That is the first place I'd look.

http://www.ecrypt.eu.org/stream/index.html


--
Who put a stop payment on my reality check?
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] 100 Gbps line rate encryption

[Thor Lancelot Simon]

On Tue, Jul 16, 2013 at 03:23:01AM -0400, William Allen Simpson wrote:
> On 6/22/13 8:24 PM, Greg Rose wrote:
> >
> >On Jun 22, 2013, at 15:31 , James A. Donald  wrote:
> >
> >>On 2013-06-23 6:47 AM, Peter Maxwell wrote:
> >>>I think Bernstein's Salsa20 is faster and significantly more secure than 
> >>>RC4, whether you'll be able to design hardware to run at line-speed is 
> >>>somewhat more questionable though (would be interested to know if it's 
> >>>possible right enough).
> >>
> >>I would be surprised if it is faster.
> >
> >Be surprised, then... almost all of the recent word- or block- oriented 
> >stream ciphers are faster than RC4. And NOTHING should still be using RC4; 
> >by today's standards it is quite insecure.
> >
> So I spent some (much too much) time reading old PPP archives on our
> earlier discussions selecting an algorithm.  Sadly, 3DES was chosen,
> but rarely implemented.
> 
> I cobbled together a draft based on old discussion for ARC4.  It
> surely needs more work.  Although (as you mention) that's old stuff,
> it has the advantage of having running code in most existing systems,
> and could be rolled out quickly on high speed connections.
> 
> http://tools.ietf.org/html/draft-simpson-ppp-arc4-00

If you're really going to publish a new RFC -- even an Experimental
one -- using RC4, you should really use RC4-drop-N.  For even moderately
sized packets and reasonable values of N, if you effectively rekey every
packet, you will end up wasting 25-50% of the throughput of the system.

Conclusion: RC4 is particularly poorly suited for this application
in the modern day.

Thor
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

[coderman]

On Mon, Jul 15, 2013 at 8:39 AM, The Doctor  wrote:
> ...
> Why hire ninjas to backdoor a chip when you can have someone look for
> 0-days?  Cheaper and emminently practical.  Oh, and already being done.

these are complimentary methods. for some targets you may not care
about stealth, or visible breakage, or active methods. 0wn their apps,
OS, network devices, whatever soft targets for great success.

sometimes you need stealth and longevity; a weakened key space
sufficient to attack with modest hardware (c.f. NSA Utah ;) could go
undetected for years, if ever noticed.

all cursory checks show encryption functional, side channels
squelched, implementation operational - and yet, here you are using
long lived public keys, symmetric session keys, and other secrets with
insufficient entropy.

  result: all your security is null and all your content in the hands
of the adversary.

---

consider the focus on baseband attacks for mobile. is it easier to own
the application or OS layers? absolutely.  but this is also
potentially mitigated by fine grained access controls, custom ROMs,
many various techniques in these same application and OS layers.

a baseband exploit cares nothing for the OS and application layer
details, instead providing direct access to device memory and
interfaces surreptitiously for keys in memory and content on device.
  even airplane mode can be hacked into open mic night while the user
is none the wiser!

baseband attacks are much more complicated, device specific, and
expensive (for some measure of cost) compared to the easier and more
plentiful application and OS layer hacks on android and iOS, but this
cost is justified by the significant improvement in capability,
stealth, and reliability.

---

in short:

rather than considering just one or another type of attack, these
agencies should be assumed to be using all of them with the exploit
method tailored to the particular access needs and target difficulty
of every tasking.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] 100 Gbps line rate encryption

[William Allen Simpson]

On 6/22/13 8:24 PM, Greg Rose wrote:


On Jun 22, 2013, at 15:31 , James A. Donald  wrote:


On 2013-06-23 6:47 AM, Peter Maxwell wrote:

I think Bernstein's Salsa20 is faster and significantly more secure than RC4, 
whether you'll be able to design hardware to run at line-speed is somewhat more 
questionable though (would be interested to know if it's possible right enough).


I would be surprised if it is faster.


Be surprised, then... almost all of the recent word- or block- oriented stream 
ciphers are faster than RC4. And NOTHING should still be using RC4; by today's 
standards it is quite insecure.


So I spent some (much too much) time reading old PPP archives on our
earlier discussions selecting an algorithm.  Sadly, 3DES was chosen,
but rarely implemented.

I cobbled together a draft based on old discussion for ARC4.  It
surely needs more work.  Although (as you mention) that's old stuff,
it has the advantage of having running code in most existing systems,
and could be rolled out quickly on high speed connections.

http://tools.ietf.org/html/draft-simpson-ppp-arc4-00

I was attempting a draft for Salsa20, then discovered there's a
successor called ChaCha.  Since I didn't also have enough time to
investigate (and it wasn't mentioned here), I held off pushing out
the Salsa20 draft.

But I'd like to have something more modern in the pipeline.
Please discuss.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography