At 10:06 AM 11/29/00 +0100, [EMAIL PROTECTED] wrote:
You have to agree that the "not using patented algorithms" thing
solves the problem once and for all, if in a somewhat Gordian way
(partly breaking backwards compatibility). We would never had any
problems if not for PGP screwing it up -- by
On Mon, 11 Dec 2000, Enzo Michelangeli wrote:
--Ray Dillinger wrote:
There are times and places where you can use salt, and times and places
where you can't. In order to use salt with a passphrase, you have to
store it somewhere. And that means that a person who has only the
ciphertext
values
(such as dbm files indexed by encrypted passphrase).
Enzo
- Original Message -
From: "Ray Dillinger" [EMAIL PROTECTED]
To: "Enzo Michelangeli" [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, December 11, 2000 10:44 AM
Subject: Re: migration paradigm
At 12:12 PM 12/10/2000 -0500, you wrote:
snip ---
Finally, I'd like to see software that employs passphrases offer to
suggest a passphrase, rather than let the poor user sort through all
the conflicting -- and often bad --
On Tue, 5 Dec 2000, David Honig wrote:
Is there a reason not to use AES block cipher in a hashing mode
if you need a secure digest of some data?
Hashing modes of block ciphers require a re-key for every block, and hence
are really, really slow.
-Bram Cohen
At 03:43 PM 12/6/00 -0600, Rick Smith at Secure Computing wrote:
At 05:04 PM 12/5/00, Ray Dillinger wrote:
If someone wants to enter "sex" as a password, s/he deserves
what s/he gets (although you may put up an "insecure passphrase"
warning box for him/her).
The problem is that there's no
At 10:23 AM 12/8/00 -0800, Bram Cohen wrote:
On Tue, 5 Dec 2000, David Honig wrote:
Is there a reason not to use AES block cipher in a hashing mode
if you need a secure digest of some data?
Hashing modes of block ciphers require a re-key for every block, and hence
are really, really slow.
Rick Smith at Secure Computing [EMAIL PROTECTED] writes:
Now, just how do we intend to address such concerns in our memory-based
authentication systems? Our whole technology for using memorized secrets is
built on the belief that people will remember and recite these secrets
perfectly.
- Original Message -
From: "Bill Stewart" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; "William Allen Simpson"
[EMAIL PROTECTED]
Sent: Friday, December 08, 2000 11:58 PM
Subject: Re: migration paradigm (was: Is PGP broken?)
A more important pro
Bram Cohen [EMAIL PROTECTED] writes:
Is there a reason not to use AES block cipher in a hashing mode
if you need a secure digest of some data?
Hashing modes of block ciphers require a re-key for every block, and hence
are really, really slow.
Well, Rijndael can re-key faster than it can
At 3:35 PM -0600 12/7/2000, Rick Smith at Secure Computing wrote:
At 02:43 PM 12/7/00, Peter Fairbrother wrote:
In WW2 SOE and OSS used original poems which were often pornographic. See
"Between Silk and Cyanide" by Leo Marks for a harrowing account.
Yes, a terrific book. However, the book also
On Sun, 10 Dec 2000, Enzo Michelangeli wrote:
A more important problem with passphrase-based keys is collisions -
two people picking wimpy passwords can end up with the same keys.
Salt should take care of this (as well as reducing the effectiveness
of dictionary attacks).
There are times
At 02:43 PM 12/7/00, Peter Fairbrother wrote:
In WW2 SOE and OSS used original poems which were often pornographic. See
"Between Silk and Cyanide" by Leo Marks for a harrowing account.
Yes, a terrific book. However, the book also contains an important lesson
regarding human memory.
Marks was
From: Rick Smith at Secure Computing [EMAIL PROTECTED]
Does anyone have a citation as to the source of this 1.33 bits/letter
estimate? In other words, who computed it and how? It's in Stinson's crypto
book, but he didn't identify its source. I remember tripping over a
citation for it in
On Wed, Dec 06, 2000 at 08:32:54AM -0200, [EMAIL PROTECTED] wrote:
I've asked previously, but I hope it won't hurt asking
again. Has anyone compared the relative speeds of
(efficient implementations of) the SHA-2 functions and
Rijndael? Are there any figures available?
There is a speed
on 6/12/00 9:43 pm, Rick Smith at Secure Computing at
[snip]
"My name is Ozymandias, king of kings:
Look upon my works, ye Mighty, and despair!"
So the 'new dictonary' for pass phrase attacks contains all the chestnuts
from all the school lit books in the country. I expect there's a lot of
At 05:04 PM 12/5/00, Ray Dillinger wrote:
If someone wants to enter "sex" as a password, s/he deserves
what s/he gets (although you may put up an "insecure passphrase"
warning box for him/her).
The problem is that there's no objective way of knowing when a passphrase
becomes 'insecure' since
At 3:43 PM -0600 12/6/2000, Rick Smith at Secure Computing wrote:
Does anyone have a citation as to the source of this 1.33
bits/letter estimate? In other words, who computed it and how? It's
in Stinson's crypto book, but he didn't identify its source. I
remember tripping over a citation for
David Wagner wrote:
David Honig wrote:
Is there a reason not to use AES block cipher
in a hashing mode if you need a secure digest
of some data?
Yes. The standard hashing modes provide only
128-bit hash digests, and for long-term collision-
resistance, we'd probably like longer
On Mon, 4 Dec 2000, William Allen Simpson wrote:
We could use the excuse of AES implementation to foster a move to a
new common denominator.
AES is silly without an equivalently good secure hash function, which we
don't have right now.
[SHA-2 looks pretty good. What's your problem with it?
-BEGIN PGP SIGNED MESSAGE-
I can see that one can put information associated with a
signature outside the hashed area but I cannot see that one
should do so and I doubt that this will improve security.
First the key-ID. Why should I have it outside the signature?
It's possibly not
At 7:20 PM + 12/4/2000, lcs Mixmaster Remailer wrote:
William Allen Simpson [EMAIL PROTECTED] writes:
My requirements were (off the top of my head, there were more):
4) an agreed algorithm for generating private keys directly from
the passphrase, rather than keeping a private key
"Enzo Michelangeli" [EMAIL PROTECTED] writes:
I have an RFC draft for this which I wrote a while back but it was rejected by
the PKIX WG chair(s) ("I am concerned that we not turn PKIX into PGP with ASN.1
syntax"), and I haven't had the motivation to publish it as an independent
draft - would
On Mon, 4 Dec 2000, Bram Cohen wrote:
[SHA-2 looks pretty good. What's your problem with it? --Perry]
It's slow. It's fast enough for most applications, but then again so is
3DES - either you care about speed or you don't, and if you do, SHA2 just
doesn't rank up there with Rijndael.
-Bram
At 11:59 PM 12/4/00 -0800, Alan Olsen wrote:
The
review of the system during the audit was less than nice, but they still
wanted to go ahead with it.
Didn't they set themselves up for extra liability when fraud
is committed due to their *now conscious* lack of diligence?
Ignorance is bliss,
At 3:04 PM -0800 12/5/2000, Ray Dillinger wrote:
On Tue, 5 Dec 2000, Arnold G. Reinhold wrote:
...
I believe there are applications where a passphrase generated key is
preferable.
I think a standard such as Mr. Simpson suggests is a worthwhile idea.
No one is forced to use a standard just
On Tue, 05 Dec 2000, Bram Cohen wrote:
[SHA-2 looks pretty good. What's your problem with it? --Perry]
It's slow.
Just how slow? Are you sure you tried a production implementation? What
efficiency figures do you have (say, SHA-256 vs. SHA-1 vs. Rijndael)?
Paulo Barreto.
"Steven M. Bellovin" wrote:
Purely procedurally, if you tried to get it published as an RFC it
would probably be bounced by the IESG -- there's a policy against RFCs
that are or appear to be end-runs around a working group. If something
is in a WG's area, it's up to them to publish it.
But
David Honig wrote:
Is there a reason not to use AES block cipher in a hashing mode
if you need a secure digest of some data?
Yes. The standard hashing modes provide only 128-bit hash digests, and
for long-term collision-resistance, we'd probably like longer outputs.
Also, Rijndael has not
-BEGIN PGP SIGNED MESSAGE-
At 05:52 PM 12/3/00 -0800, Bram Cohen wrote:
...
If I recieve mail from a mailing list, it potentially might
have info about both how to encrypt mail sent to the sender,
and how to encrypt mail sent to the list - it really should
be able to include both, and
A problem with including a public key with every plaintext message is that
it isn't very discreet - actually looks kind of ugly in some peoples's
email clients.
You could use a separate PGP/MIME bodypart...
Come to think of it, there are some tricky issues with regards to crypto
on mailing
"Enzo Michelangeli" [EMAIL PROTECTED] writes:
Apart from standards issues, one thing I'd like to see added to popular S/MIME
agents is a mini-CA to issue self-signed certificates. This would allow people
to use S/MIME as they use PGP (who relies on the WoT anyway?), breaking the
dependency from
At 9:55 AM +0100 11/29/2000, PA Axel H Horns wrote:
On 29 Nov 2000, at 7:07, Stephan Eisvogel wrote:
Adam Back wrote:
(And also without IDEA support for patent reasons even now
that the RSA patent has expired.)
Do you know when the IDEA patent will expire? I will hold a
small party
On Mon, 4 Dec 2000, Ian Brown wrote:
Come to think of it, there are some tricky issues with regards to crypto
on mailing lists, it might make sense to have a
X-crypto-originator [EMAIL PROTECTED] line in the headers to specify that the
crypto information contained in that piece of mail
William Allen Simpson [EMAIL PROTECTED] writes:
My requirements were (off the top of my head, there were more):
4) an agreed algorithm for generating private keys directly from
the passphrase, rather than keeping a private key database.
Moving folks from laptop to desktop has
It is often useful to include some information associated with a signature
that is not in the hashed portion. There are several reasons for this.
First, some information is not security critical and there is no reason
to hash it. Second, some such information may be subject to change and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 4 Dec 2000, lcs Mixmaster Remailer wrote:
Examples of the first case would be an identifier which indicates the
signing key. In PGP this would be the key ID; in SMIME, CMS and other
PKCS-7 derived formats it is the IssuerAndSerialNumber.
- Original Message -
From: "lcs Mixmaster Remailer" [EMAIL PROTECTED]
Sent: Tuesday, December 05, 2000 3:20 AM
William Allen Simpson [EMAIL PROTECTED] writes:
My requirements were (off the top of my head, there were more):
4) an agreed algorithm for generating private keys
- Original Message -
From: "Peter Gutmann" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Tuesday, December 05, 2000 4:45 AM
Subject: Re: Is PGP broken?
"Enzo Michelangeli" [EMAIL PROTECTED] writes:
Apart from standards issues
"L. Sassaman" wrote:
PGP will also never have the platform coverage that open source software
can have. In addition to all the platforms (except Macintosh) that PGP
supports, GnuPG runs on Irix, True64, FreeBSD, NetBSD, OpenBSD, BSD/OS,
SCO, SunOS, and others. That's not PGP's fault; it's
Bram Cohen writes:
Not that I'm going to propose a new standard or even modifications to old
ones - there are already too many of those, the problem is making one of
them acceptable, or develpoing a new one which has a good chance of
getting universal support.
Have you looked at
-BEGIN PGP SIGNED MESSAGE-
"L. Sassaman" [EMAIL PROTECTED] wrote:
Shameless plug: Ben Laurie and I were discussing this exact topic earlier
this month. I'm going to England next month to sit down and hash out
exactly what we want to do, but we would like to add OpenPGP features to
On Wed, 29 Nov 2000, Ian BROWN wrote:
Bram Cohen wrote:
What we really need is a system which just stops passive attacks. The best
idea I've come up with so far is for all outgoing messages to have a
public key attached, and if you have the public key of an email address
you're sending to
-- 2
At 12:01 PM 12/3/00 -0800, Bram Cohen wrote:
A problem with including a public key with every plaintext message is that
it isn't very discreet - actually looks kind of ugly in some peoples's
email clients. This could be changed by making a header line saying
something like
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In my opinion, cryptography should be seen as an evolutionary
process. Protocols are continuously evaluated for their "fitness" in the
context of current number theory, advances in computers/CPUs, and many
individual/company/implementation specific
On Sun, 3 Dec 2000, Ben Laurie wrote:
Bram Cohen wrote:
Come to think of it, there are some tricky issues with regards to crypto
on mailing lists, it might make sense to have a
X-crypto-originator [EMAIL PROTECTED] line in the headers to specify that the
crypto information contained
- Original Message -
From: "Peter Gutmann" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, November 30, 2000 1:30 PM
Subject: Re: Is PGP broken?
"Enzo Michelangeli" [EMAIL PROTECTED] (or someone, the quoting makes it
difficult to tell)
Yes, that was me.
Russell Nelson wrote:
Is it just me, or is PGP broken? I don't mean any particular version
of PGP -- I mean the fact that there are multiple versions of PGP
which generate incompatible cryptography. Half the time when someone
sends me a PGP-encrypted message, I can't decrypt
Bram Cohen wrote:
What we really need is a system which just stops passive attacks. The best
idea I've come up with so far is for all outgoing messages to have a
public key attached, and if you have the public key of an email address
you're sending to you use it
Indeed -- this is one of the
"Enzo Michelangeli" [EMAIL PROTECTED] (or someone, the quoting makes it difficult to
tell) writes:
If it may of any comfort (or perhaps enhanced desperation), the S/MIME
community has similar headaches: in these days, the [EMAIL PROTECTED] list is
debating whether, in S/MIME v.3, RSA should be
Stefan Kelm writes:
BTW, what do you mean by "point-source PGP signing"?
Instead of leaving your key signing up to your friends, PGP could
benefit from a policy-based signature. You could come up with any
number of policies:
o This keyholder is a Mason/Scout/Rotarian.
o This keyholder is
Not to mention anything about PGP keyservers, or the utter and
complete absence of anybody doing point-source PGP signing.
Yeah, the whole system looks none too scaleable.
It certainly isn't. Please keep in mind, however, that the pgp.net
keyserver system is in no way related to NAI
Adam Back writes:
And lastly even if they had done it right, GPG went in and fucked it
up some more by sticking religiously to the "don't use patented
algorithms" free software mantra to the huge detriment of PGP
interoperability.
You have to agree that the "not using patented
- Original Message -
From: "Bram Cohen" [EMAIL PROTECTED]
To: "Russell Nelson" [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, November 29, 2000 10:55 AM
Subject: Re: Is PGP broken?
What we really need is a system which just stops passive attacks. The bes
On 29 Nov 2000, at 7:07, Stephan Eisvogel wrote:
Adam Back wrote:
(And also without IDEA support for patent reasons even now
that the RSA patent has expired.)
Do you know when the IDEA patent will expire? I will hold a
small party myself then. B)
The EP 0 482 154 of ASCOM TECH AG has
Is it just me, or is PGP broken? I don't mean any particular version
of PGP -- I mean the fact that there are multiple versions of PGP
which generate incompatible cryptography. Half the time when someone
sends me a PGP-encrypted message, I can't decrypt it. Presuming that
I'm right, is anyone
On Tue, 28 Nov 2000, Russell Nelson wrote:
Is it just me, or is PGP broken? I don't mean any particular version
of PGP -- I mean the fact that there are multiple versions of PGP
which generate incompatible cryptography.
I'd say that's an accurate assesment.
Presuming that I'm right
, preferring peer-to-peer manual exchanges
followed by out-of-band authentication of the fingerprint...
Enzo
- Original Message -
From: "Russell Nelson" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 29, 2000 10:22 AM
Subject: Is PGP broken?
Is it just me, or is PGP
licensing compared to RSA
(non-commercial use free, fixed published licensing terms, etc)
I'm sure Vin'll give us the RSA labs spin... over to you Vin :-)
Perhaps even some PGP folks would like to defend their decisions to
release PGP versions without RSA support.
Adam
Is it just me, or is PGP
59 matches
Mail list logo