At 10:06 AM 11/29/00 +0100, [EMAIL PROTECTED] wrote:
>You have to agree that the "not using patented algorithms" thing
>solves the problem once and for all, if in a somewhat Gordian way
>(partly breaking backwards compatibility). We would never had any
>problems if not for PGP screwing it up -- b
At 12:12 PM 12/10/2000 -0500, you wrote:
>
snip ---
>
>Finally, I'd like to see software that employs passphrases offer to
>suggest a passphrase, rather than let the poor user sort through all
>the conflicting -- and often bad
Ray Dillinger <[EMAIL PROTECTED]> writes:
> There are times and places where you can use salt, and times and places
> where you can't. In order to use salt with a passphrase, you have to
> store it somewhere. And that means that a person who has only the
> ciphertext and the passphrase cannot
values
(such as dbm files indexed by encrypted passphrase).
Enzo
- Original Message -
From: "Ray Dillinger" <[EMAIL PROTECTED]>
To: "Enzo Michelangeli" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, December 11, 2000 10:44 AM
Subject: Re:
On Mon, 11 Dec 2000, Enzo Michelangeli wrote:
>--Ray Dillinger wrote:
>
>> There are times and places where you can use salt, and times and places
>> where you can't. In order to use salt with a passphrase, you have to
>> store it somewhere. And that means that a person who has only the
>> ci
On Sun, 10 Dec 2000, Enzo Michelangeli wrote:
>> A more important problem with passphrase-based keys is collisions -
>> two people picking wimpy passwords can end up with the same keys.
>
>Salt should take care of this (as well as reducing the effectiveness
>of dictionary attacks).
There are t
At 3:35 PM -0600 12/7/2000, Rick Smith at Secure Computing wrote:
>At 02:43 PM 12/7/00, Peter Fairbrother wrote:
>
>>In WW2 SOE and OSS used original poems which were often pornographic. See
>>"Between Silk and Cyanide" by Leo Marks for a harrowing account.
>
>Yes, a terrific book. However, the bo
Bram Cohen <[EMAIL PROTECTED]> writes:
> > Is there a reason not to use AES block cipher in a hashing mode
> > if you need a secure digest of some data?
>
> Hashing modes of block ciphers require a re-key for every block, and hence
> are really, really slow.
Well, Rijndael can re-key faster tha
- Original Message -
From: "Bill Stewart" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; "William Allen Simpson"
<[EMAIL PROTECTED]>
Sent: Friday, December 08, 2000 11:58 PM
Subject: Re: migration paradigm (was: Is PG
Rick Smith at Secure Computing <[EMAIL PROTECTED]> writes:
> Now, just how do we intend to address such concerns in our memory-based
> authentication systems? Our whole technology for using memorized secrets is
> built on the belief that people will remember and recite these secrets
> perfectly
At 10:23 AM 12/8/00 -0800, Bram Cohen wrote:
>On Tue, 5 Dec 2000, David Honig wrote:
>
>> Is there a reason not to use AES block cipher in a hashing mode
>> if you need a secure digest of some data?
>
>Hashing modes of block ciphers require a re-key for every block, and hence
>are really, really
At 03:43 PM 12/6/00 -0600, Rick Smith at Secure Computing wrote:
>At 05:04 PM 12/5/00, Ray Dillinger wrote:
>
>>If someone wants to enter "sex" as a password, s/he deserves
>>what s/he gets (although you may put up an "insecure passphrase"
>>warning box for him/her).
>
>The problem is that there's
On Tue, 5 Dec 2000, David Honig wrote:
> Is there a reason not to use AES block cipher in a hashing mode
> if you need a secure digest of some data?
Hashing modes of block ciphers require a re-key for every block, and hence
are really, really slow.
-Bram Cohen
On Wed, Dec 06, 2000 at 08:32:54AM -0200, [EMAIL PROTECTED] wrote:
> I've asked previously, but I hope it won't hurt asking
> again. Has anyone compared the relative speeds of
> (efficient implementations of) the SHA-2 functions and
> Rijndael? Are there any figures available?
There is a speed co
At 02:43 PM 12/7/00, Peter Fairbrother wrote:
>In WW2 SOE and OSS used original poems which were often pornographic. See
>"Between Silk and Cyanide" by Leo Marks for a harrowing account.
Yes, a terrific book. However, the book also contains an important lesson
regarding human memory.
Marks was
From: Rick Smith at Secure Computing <[EMAIL PROTECTED]>
> Does anyone have a citation as to the source of this 1.33 bits/letter
> estimate? In other words, who computed it and how? It's in Stinson's crypto
> book, but he didn't identify its source. I remember tripping over a
> citation for it
on 6/12/00 9:43 pm, Rick Smith at Secure Computing at
[snip]
>> "My name is Ozymandias, king of kings:
>> Look upon my works, ye Mighty, and despair!"
>
> So the 'new dictonary' for pass phrase attacks contains all the chestnuts
> from all the school lit books in the country. I expect there's a l
At 3:43 PM -0600 12/6/2000, Rick Smith at Secure Computing wrote:
>Does anyone have a citation as to the source of this 1.33
>bits/letter estimate? In other words, who computed it and how? It's
>in Stinson's crypto book, but he didn't identify its source. I
>remember tripping over a citation fo
At 05:04 PM 12/5/00, Ray Dillinger wrote:
>If someone wants to enter "sex" as a password, s/he deserves
>what s/he gets (although you may put up an "insecure passphrase"
>warning box for him/her).
The problem is that there's no objective way of knowing when a passphrase
becomes 'insecure' since
David Wagner wrote:
> David Honig wrote:
> > Is there a reason not to use AES block cipher
> > in a hashing mode if you need a secure digest
> > of some data?
>
> Yes. The standard hashing modes provide only
> 128-bit hash digests, and for long-term collision-
> resistance, we'd probably like
David Honig wrote:
>Is there a reason not to use AES block cipher in a hashing mode
>if you need a secure digest of some data?
Yes. The standard hashing modes provide only 128-bit hash digests, and
for long-term collision-resistance, we'd probably like longer outputs.
Also, Rijndael has not b
"Steven M. Bellovin" wrote:
> Purely procedurally, if you tried to get it published as an RFC it
> would probably be bounced by the IESG -- there's a policy against RFCs
> that are or appear to be end-runs around a working group. If something
> is in a WG's area, it's up to them to publish it.
On Tue, 05 Dec 2000, Bram Cohen wrote:
> > [SHA-2 looks pretty good. What's your problem with it? --Perry]
>
> It's slow.
Just how slow? Are you sure you tried a production implementation? What
efficiency figures do you have (say, SHA-256 vs. SHA-1 vs. Rijndael)?
Paulo Barreto.
At 3:04 PM -0800 12/5/2000, Ray Dillinger wrote:
>On Tue, 5 Dec 2000, Arnold G. Reinhold wrote:
>
...
> >I believe there are applications where a passphrase generated key is
>>preferable.
>
>>I think a standard such as Mr. Simpson suggests is a worthwhile idea.
>>No one is forced to use a standar
At 11:59 PM 12/4/00 -0800, Alan Olsen wrote:
>The
>review of the system during the audit was less than nice, but they still
>wanted to go ahead with it.
Didn't they set themselves up for extra liability when fraud
is committed due to their *now conscious* lack of diligence?
Ignorance is bliss
At 11:19 PM 12/4/00 -0800, Bram Cohen wrote:
>On Mon, 4 Dec 2000, William Allen Simpson wrote:
>
>> We could use the excuse of AES implementation to foster a move to a
>> new common denominator.
>
>AES is silly without an equivalently good secure hash function, which we
>don't have right now.
>
In message <[EMAIL PROTECTED]>, Bram Coh
en writes:
>On Mon, 4 Dec 2000, Bram Cohen wrote:
>>
>> [SHA-2 looks pretty good. What's your problem with it? --Perry]
>
>It's slow. It's fast enough for most applications, but then again so is
>3DES - either you care about speed or you don't, and if you
On Tue, 5 Dec 2000, Arnold G. Reinhold wrote:
>At 7:20 PM + 12/4/2000, lcs Mixmaster Remailer wrote:
>>William Allen Simpson <[EMAIL PROTECTED]> writes:
>>> 4) an agreed algorithm for generating private keys directly from
>>> the passphrase, rather than keeping a private key database.
On Mon, 4 Dec 2000, Bram Cohen wrote:
>
> [SHA-2 looks pretty good. What's your problem with it? --Perry]
It's slow. It's fast enough for most applications, but then again so is
3DES - either you care about speed or you don't, and if you do, SHA2 just
doesn't rank up there with Rijndael.
-Bram
"Enzo Michelangeli" <[EMAIL PROTECTED]> writes:
>>I have an RFC draft for this which I wrote a while back but it was rejected by
>>the PKIX WG chair(s) ("I am concerned that we not turn PKIX into PGP with ASN.1
>>syntax"), and I haven't had the motivation to publish it as an independent
>>draft -
At 7:20 PM + 12/4/2000, lcs Mixmaster Remailer wrote:
>William Allen Simpson <[EMAIL PROTECTED]> writes:
>> My requirements were (off the top of my head, there were more):
>>
>> 4) an agreed algorithm for generating private keys directly from
>> the passphrase, rather than keeping a priva
On Tue, 5 Dec 2000, Enzo Michelangeli wrote:
> I'm not sure about this, unless you assume that the best attacks are based
> on dictionary search (which, for PK algorithms, can be pretty
> time-consuming). Let's suppose that the entropy of the passphrase only
> amounts to 100 bits: my gut feeling
-BEGIN PGP SIGNED MESSAGE-
I can see that one can put information associated with a
signature outside the hashed area but I cannot see that one
should do so and I doubt that this will improve security.
First the key-ID. Why should I have it outside the signature?
It's possibly not secur
On Mon, 4 Dec 2000, William Allen Simpson wrote:
> We could use the excuse of AES implementation to foster a move to a
> new common denominator.
AES is silly without an equivalently good secure hash function, which we
don't have right now.
[SHA-2 looks pretty good. What's your problem with it?
- Original Message -
From: "Peter Gutmann" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, December 05, 2000 4:45 AM
Subject: Re: Is PGP broken?
> "Enzo Michelangeli" <[EMAIL PROTECT
- Original Message -
From: "lcs Mixmaster Remailer" <[EMAIL PROTECTED]>
Sent: Tuesday, December 05, 2000 3:20 AM
> William Allen Simpson <[EMAIL PROTECTED]> writes:
> > My requirements were (off the top of my head, there were more):
> >
> > 4) an agreed algorithm for generating private
In message <[EMAIL PROTECTED]>, Peter Gutmann writes:
>"Enzo Michelangeli" <[EMAIL PROTECTED]> writes:
>
>>Apart from standards issues, one thing I'd like to see added to popular S/MIM
>E
>>agents is a mini-CA to issue self-signed certificates. This would allow peopl
>e
>>to use S/MIME as they use
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 4 Dec 2000, lcs Mixmaster Remailer wrote:
> Examples of the first case would be an identifier which indicates the
> signing key. In PGP this would be the key ID; in SMIME, CMS and other
> PKCS-7 derived formats it is the IssuerAndSerialNumber. T
It is often useful to include some information associated with a signature
that is not in the hashed portion. There are several reasons for this.
First, some information is not security critical and there is no reason
to hash it. Second, some such information may be subject to change and
update
William Allen Simpson <[EMAIL PROTECTED]> writes:
> My requirements were (off the top of my head, there were more):
>
> 4) an agreed algorithm for generating private keys directly from
> the passphrase, rather than keeping a private key database.
> Moving folks from laptop to desktop h
On Mon, 4 Dec 2000, Ian Brown wrote:
> > Come to think of it, there are some tricky issues with regards to crypto
> > on mailing lists, it might make sense to have a
> > X-crypto-originator [EMAIL PROTECTED] line in the headers to specify that the
> > crypto information contained in that piece of
At 9:55 AM +0100 11/29/2000, PA Axel H Horns wrote:
>On 29 Nov 2000, at 7:07, Stephan Eisvogel wrote:
>
>> Adam Back wrote:
>> > (And also without IDEA support for patent reasons even now
>> > that the RSA patent has expired.)
>>
>> Do you know when the IDEA patent will expire? I will hold a
>> sm
"Enzo Michelangeli" <[EMAIL PROTECTED]> writes:
>Apart from standards issues, one thing I'd like to see added to popular S/MIME
>agents is a mini-CA to issue self-signed certificates. This would allow people
>to use S/MIME as they use PGP (who relies on the WoT anyway?), breaking the
>dependency
-BEGIN PGP SIGNED MESSAGE-
On Sun, 3 Dec 2000, L. Sassaman wrote:
> Though, as I pointed out to Ralf in private email, subpacket 16 should be
> permitted outside of the signature. Other than that, I can see no packet
> that needs to be placed outside the signature,
I still can not see
David Bird wrote:
>
> In my opinion, cryptography should be seen as an evolutionary
> process. Protocols are continuously evaluated for their "fitness" in the
> context of current number theory, advances in computers/CPUs, and many
> individual/company/implementation specific requirements. It may
> A problem with including a public key with every plaintext message is that
> it isn't very discreet - actually looks kind of ugly in some peoples's
> email clients.
You could use a separate PGP/MIME bodypart...
> Come to think of it, there are some tricky issues with regards to crypto
> on mai
-BEGIN PGP SIGNED MESSAGE-
At 05:52 PM 12/3/00 -0800, Bram Cohen wrote:
...
>If I recieve mail from a mailing list, it potentially might
>have info about both how to encrypt mail sent to the sender,
>and how to encrypt mail sent to the list - it really should
>be able to include both, an
- Original Message -
From: "Peter Gutmann" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 30, 2000 1:30 PM
Subject: Re: Is PGP broken?
> "Enzo Michelangeli" <[EMAIL PROTECTED]> (or someone, the quoting makes it
> dif
On Sun, 3 Dec 2000, Ben Laurie wrote:
> Bram Cohen wrote:
> >
> > Come to think of it, there are some tricky issues with regards to crypto
> > on mailing lists, it might make sense to have a
> > X-crypto-originator [EMAIL PROTECTED] line in the headers to specify that the
> > crypto information
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In my opinion, cryptography should be seen as an evolutionary
process. Protocols are continuously evaluated for their "fitness" in the
context of current number theory, advances in computers/CPUs, and many
individual/company/implementation specific re
-- 2
At 12:01 PM 12/3/00 -0800, Bram Cohen wrote:
>A problem with including a public key with every plaintext message is that
>it isn't very discreet - actually looks kind of ugly in some peoples's
>email clients. This could be changed by making a header line saying
>something like X-accepts-c
t
can't be stolen. I suppose that any discrete-log algorithm would be eligible
(not only ECC).
Enzo
- Original Message -
From: "Ralf Senderek" <[EMAIL PROTECTED]>
To: "L. Sassaman" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Sunday,
Bram Cohen wrote:
>
> On Wed, 29 Nov 2000, Ian BROWN wrote:
>
> > Bram Cohen wrote:
> > >What we really need is a system which just stops passive attacks. The best
> > >idea I've come up with so far is for all outgoing messages to have a
> > >public key attached, and if you have the public key o
On Wed, 29 Nov 2000, Ian BROWN wrote:
> Bram Cohen wrote:
> >What we really need is a system which just stops passive attacks. The best
> >idea I've come up with so far is for all outgoing messages to have a
> >public key attached, and if you have the public key of an email address
> >you're send
-BEGIN PGP SIGNED MESSAGE-
"L. Sassaman" <[EMAIL PROTECTED]> wrote:
> Shameless plug: Ben Laurie and I were discussing this exact topic earlier
> this month. I'm going to England next month to sit down and hash out
> exactly what we want to do, but we would like to add OpenPGP features t
Bram Cohen writes:
> Not that I'm going to propose a new standard or even modifications to old
> ones - there are already too many of those, the problem is making one of
> them acceptable, or develpoing a new one which has a good chance of
> getting universal support.
Have you looked at Crypt
"L. Sassaman" wrote:
> PGP will also never have the platform coverage that open source software
> can have. In addition to all the platforms (except Macintosh) that PGP
> supports, GnuPG runs on Irix, True64, FreeBSD, NetBSD, OpenBSD, BSD/OS,
> SCO, SunOS, and others. That's not PGP's fault; it's
Stefan Kelm writes:
> BTW, what do you mean by "point-source PGP signing"?
Instead of leaving your key signing up to your friends, PGP could
benefit from a policy-based signature. You could come up with any
number of policies:
o This keyholder is a Mason/Scout/Rotarian.
o This keyholder is
"Enzo Michelangeli" <[EMAIL PROTECTED]> (or someone, the quoting makes it difficult to
tell) writes:
>If it may of any comfort (or perhaps enhanced desperation), the S/MIME
>community has similar headaches: in these days, the [EMAIL PROTECTED] list is
>debating whether, in S/MIME v.3, RSA shoul
Bram Cohen wrote:
>What we really need is a system which just stops passive attacks. The best
>idea I've come up with so far is for all outgoing messages to have a
>public key attached, and if you have the public key of an email address
>you're sending to you use it
Indeed -- this is one of the c
Russell Nelson wrote:
>
> Is it just me, or is PGP broken? I don't mean any particular version
> of PGP -- I mean the fact that there are multiple versions of PGP
> which generate incompatible cryptography. Half the time when someone
> sends me a PGP-encrypted message
> > Not to mention anything about PGP keyservers, or the utter and
> > complete absence of anybody doing point-source PGP signing.
>
> Yeah, the whole system looks none too scaleable.
It certainly isn't. Please keep in mind, however, that the pgp.net
keyserver system is in no way related to NAI
Adam Back writes:
> And lastly even if they had done it right, GPG went in and fucked it
> up some more by sticking religiously to the "don't use patented
> algorithms" free software mantra to the huge detriment of PGP
> interoperability.
You have to agree that the "not using patented algo
On 29 Nov 2000, at 7:07, Stephan Eisvogel wrote:
> Adam Back wrote:
> > (And also without IDEA support for patent reasons even now
> > that the RSA patent has expired.)
>
> Do you know when the IDEA patent will expire? I will hold a
> small party myself then. B)
The EP 0 482 154 of ASCOM TECH A
- Original Message -
From: "Bram Cohen" <[EMAIL PROTECTED]>
To: "Russell Nelson" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, November 29, 2000 10:55 AM
Subject: Re: Is PGP broken?
> What we really need is a system which just st
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
It has been well over two years since the last version of PGP which
did not support RSA (6.0.2), and even then most editions still
supported RSA. I didn't make the decision to not ship RSA in
particular editions of PGP, but the fact is that it was the
Adam Back wrote:
> (And also without IDEA support for patent reasons even now
> that the RSA patent has expired.)
Do you know when the IDEA patent will expire? I will hold a
small party myself then. B)
--
hawo bofh
bly reasonable about licensing compared to RSA
(non-commercial use free, fixed published licensing terms, etc)
I'm sure Vin'll give us the RSA labs spin... over to you Vin :-)
Perhaps even some PGP folks would like to defend their decisions to
release PGP versions without RSA support.
Ada
On Tue, 28 Nov 2000, Russell Nelson wrote:
> Is it just me, or is PGP broken? I don't mean any particular version
> of PGP -- I mean the fact that there are multiple versions of PGP
> which generate incompatible cryptography.
I'd say that's an accurate assesment.
&g
it anyway, preferring peer-to-peer manual exchanges
followed by out-of-band authentication of the fingerprint...
Enzo
- Original Message -
From: "Russell Nelson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 29, 2000 10:22 AM
Subject: Is PGP broken?
&
Is it just me, or is PGP broken? I don't mean any particular version
of PGP -- I mean the fact that there are multiple versions of PGP
which generate incompatible cryptography. Half the time when someone
sends me a PGP-encrypted message, I can't decrypt it. Presuming that
I'm r
71 matches
Mail list logo
