Arggh! Of course, this superencryption wouldn't help against the CBC padding
attacks, because the attacker would learn plaintext without bothering with the
other layers of encryption. The only way to solve that is to preprocess the
plaintext in some way that takes the attacker's power to induc
For hash functions, MACs, and signature schemes, simply concatenating
hashes/MACs/signatures gives you at least the security of the stronger one.
Joux multicollisions simply tell us that concatenating two or more hashes of
the same size doesn't improve their resistance to brute force collsion s
On Wed, Sep 18, 2013, at 11:02 AM, John Gilmore wrote:
> That document is here:
>
> http://www.uscourts.gov/uscourts/courts/fisc/br13-09-primary-order.pdf
Page 4:
"In granting the government's request, the Court has prohibited the
government from accessing the data for any other intelligen
The FISA court has a web site (newly, this year):
http://www.uscourts.gov/uscourts/courts/fisc/index.html
Today they released a "Memorandum Opinion and Primary Order" in
case BR 13-109 ("Business Records, 2013, case 109"), which lays
out the legal reasoning behind ordering several telephone co
On 9/17/13 at 4:18 PM, leich...@lrw.com (Jerry Leichter) wrote:
MAC'ing the actual data always seemed more "logical" to me, but
once you look at the actual situation, it no longer seems like
the right thing to do.
When I chose MAC then encrypt I was using the MAC to check the
crypto code. CR
Techdirt takes apart his statement here:
https://www.techdirt.com/articles/20130917/02391824549/nsa-needs-to-give-its-rank-and-file-new-talking-points-defending-surveillance-old-ones-are-stale.shtml
NSA Needs To Give Its Rank-and-File New Talking Points Defending
Surveillance; The Old
At a stretch, one can imagine circumstances in which trying multiple seeds
to choose a curve would lead to an attack that we would not easily
replicate. I don't suggest that this is really what happened; I'm just
trying to work out whether it's possible.
Suppose you can easily break an elliptic cu
Re: http://www.zdnet.com/nsa-cryptanalyst-we-too-are-americans-720689/
In his Big Data argument, NSA analyst Roger Barkan carefully
skips over the question of what rules there should be for government
*collecting* big data, claiming that "what matters" are the rules for
how the data is used, *
On Sep 17, 2013, at 7:18 PM, Jerry Leichter wrote:
> On Sep 17, 2013, at 6:21 PM, John Kelsey wrote:
>>> I confess I'm not sure what the current state of research is on MAC
>>> then Encrypt vs. Encrypt then MAC -- you may want to check on that.
>>
>> Encrypt then MAC has a couple of big advanta
On Sep 17, 2013, at 6:21 PM, John Kelsey wrote:
>> I confess I'm not sure what the current state of research is on MAC
>> then Encrypt vs. Encrypt then MAC -- you may want to check on that.
>
> Encrypt then MAC has a couple of big advantages centering around the idea
> that you don't have to wor
On Sep 17, 2013, at 5:31 PM, Viktor Dukhovni wrote:
> ...And indeed the FUD around the NIST EC curves is rather unfortunate.
> Is secp256r1 better or worse than 1024-bit EDH?
Given our state of knowledge both of the mathematics, and of games NSA has been
playing, I don't believe anyone can give a
On Sep 17, 2013, at 11:41 AM, "Perry E. Metzger" wrote:
>
> I confess I'm not sure what the current state of research is on MAC
> then Encrypt vs. Encrypt then MAC -- you may want to check on that.
Encrypt then MAC has a couple of big advantages centering around the idea that
you don't have to
On Tue, Sep 17, 2013 at 05:01:12PM -0400, Perry E. Metzger wrote:
> (Note that this assumes no cryptographic breakthroughs like doing
> discrete logs over prime fields easily or (completely theoretical
> since we don't really know how to do it) sabotage of the elliptic
> curve system in use.)
>
>
Forwarded-By: David Farber
Forwarded-By: "Annie I. Anton Ph.D."
http://www.zdnet.com/nsa-cryptanalyst-we-too-are-americans-720689/
NSA cryptanalyst: We, too, are Americans
Summary: ZDNet Exclusive: An NSA mathematician shares his from-the-trenches
view of the agency's surveillance activit
On Tue, 17 Sep 2013 16:52:26 -0400 John Kemp wrote:
> On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker
> wrote:
> > The objective of PRISM-hardening is not to prevent an
> > attack absolutely, it is to increase the work factor for the
> > attacker attempting ubiquitous surveillance.
> >
> > Exa
On 9/17/13 at 2:48 AM, i...@iang.org (ianG) wrote:
The problem with adding multiple algorithms is that you are also adding
complexity. ...
Both Perry and Ian point out:
And, as we know, the algorithms rarely fail. [but systems do] ...
Absolutely! The techniques I suggested used the simples
On Sep 17, 2013, at 2:43 PM, Phillip Hallam-Baker wrote:
> My phrase PRISM-Proofing seems to have created some interest in the press.
>
> PRISM-Hardening might be more important, especially in the short term. The
> objective of PRISM-hardening is not to prevent an attack absolutely, it is to
>
Matthew Green tweeted earlier today that Johns Hopkins will be hosting
a roundtable at 10am EDT tomorrow (Wednesday, September 18th) to
discuss the NSA crypto revelations.
Livestream will be at: https://connect.johnshopkins.edu/jhuisicrypto/
Perry
--
Perry E. Metzgerpe...@piermo
On Tue, Sep 17, 2013 at 8:54 AM, Perry E. Metzger wrote:
> I'd like to note quite strongly that (with certain exceptions like
> RC4) the odds of wholesale failures in ciphers seem rather small
> compared to the odds of systems problems like bad random number
> generators, sabotaged accelerator har
My phrase PRISM-Proofing seems to have created some interest in the press.
PRISM-Hardening might be more important, especially in the short term. The
objective of PRISM-hardening is not to prevent an attack absolutely, it is
to increase the work factor for the attacker attempting ubiquitous
survei
On 2013-09-17 07:37, Peter Gutmann wrote:
> Tony Arcieri writes:
>> On Mon, Sep 16, 2013 at 9:44 AM, Bill Frantz wrote:
>>> After Rijndael was selected as AES, someone suggested the really paranoid
>>> should super encrypt with all 5 finalests [...].
>>
>> I wish there was a term for this sort of
On Tue, 17 Sep 2013 10:07:38 -0700 Tony Arcieri
wrote:
> The NSA of course participated in active attacks too, but it seems
> their main MO was passive traffic collection.
That's not what I've gotten out of the most recent revelations. It
would seem that they've been evading rather than breaking
On Mon, 16 Sep 2013 17:47:11 -0700 Bill Frantz
wrote:
> Authentication is achieved by signing the entire exchange with
> DSA. -- Change the protocol to sign the exchange with both RSA
> and DSA and send and check both signatures.
Remember to generate the nonce for DSA using a deterministic me
> >> Such a backdoor would be feasible.
> > It might be feasible in theory (and see the Illinois Malicious
> > Processor as an example) but I think it would be hard to pull off
> > well -- too hard to account for changes in future code, too hard to
> > avoid detection of what you've done.
> Not sur
On Tue, Sep 17, 2013 at 9:28 AM, Perry E. Metzger wrote:
> In any case, I would continue to suggest that the weakest point
> (except for RC4) is (probably) not going to be your symmetric cipher.
> It will be protocol flaws and implementation flaws. No point in
> making the barn out of titanium if
On 17 Sep 2013 15:47, "Christoph Gruber" wrote:
>
> On 2013-09-16 Phillip Hallam-Baker wrote:
> [snip]
>>
>> If people are sending email through the corporate email system then in
many cases the corporation has a need/right to see what they are
sending/receiving.
>
> [snip]
>
> Even if an organis
Recommends phasing out RC4 among other things:
http://blog.ivanristic.com/2013/09/updated-best-practices-deprecate-rc4.html
--
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.met
On Sep 17, 2013, at 5:49 AM, ianG wrote:
>>
>> I wish there was a term for this sort of design in encryption systems
>> beyond just "defense in depth". AFAICT there is not such a term.
>>
>> How about the Failsafe Principle? ;)
>
> A good question. In my work, I've generally modelled it such t
On 2013-09-16 Phillip Hallam-Baker wrote:
[snip]
> If people are sending email through the corporate email system then in many
> cases the corporation has a need/right to see what they are sending/receiving.
[snip]
Even if an organisation has a need/right to look into people's email, it is
nece
On 16/09/2013 23:39, Perry E. Metzger wrote:
> On Mon, 16 Sep 2013 11:54:13 -1000 Tim Newsham
> wrote:
>> - A backdoor that leaks cryptographic secrets
>>
>> consider for example applications using an intel chip with
>> hardware-assist for AES. You're feeding your AES keys
>> directly into the cpu
Added c...@panix.com -- if you want to re-submit this (and maybe not
top post it) I will approve it...
Perry
On Tue, 17 Sep 2013 11:08:43 -0400 Carl Ellison wrote:
> If you can examine your setup and determine all possible memory in
> the device, count that memory in bit-equivalents, and discove
On 17/09/13 01:40 AM, Tony Arcieri wrote:
On Mon, Sep 16, 2013 at 9:44 AM, Bill Frantz mailto:fra...@pwpconsult.com>> wrote:
After Rijndael was selected as AES, someone suggested the really
paranoid should super encrypt with all 5 finalests in the
competition. Five level super encryp
Hi Bill,
On 17/09/13 01:20 AM, Bill Frantz wrote:
The idea is that when serious problems are discovered with one
algorithm, you don't have to scramble to replace the entire crypto
suite. The other algorithm will cover your tail while you make an
orderly upgrade to your system.
Obviously you
On the "Paranoid Cryptoplumbing" discussion:
I'd like to note quite strongly that (with certain exceptions like
RC4) the odds of wholesale failures in ciphers seem rather small
compared to the odds of systems problems like bad random number
generators, sabotaged accelerator hardware, stolen keys,
On Mon, Sep 16, 2013 at 12:44 PM, Bill Frantz wrote:
> Symmetric encryption:
>
> Two algorithms give security equal to the best of them. Three
> protect against meet-in-the-middle attacks. Performing the
> multiple encryption at the block level allows block cyphers to
> be combined with s
Tony Arcieri writes:
>On Mon, Sep 16, 2013 at 9:44 AM, Bill Frantz wrote:
>> After Rijndael was selected as AES, someone suggested the really paranoid
>> should super encrypt with all 5 finalests in the competition. Five level
>> super encryption is probably overkill, but two or three levels can
On Tue, 17 Sep 2013 11:35:34 -0400 "Perry E. Metzger"
wrote:
> Added c...@panix.com -- if you want to re-submit this (and maybe not
> top post it) I will approve it...
Gah! Accidentally forwarded that to the whole list, apologies.
--
Perry E. Metzgerpe...@piermont.com
__
On Tue, 17 Sep 2013 12:15:48 -0400 Jerry Leichter
wrote:
> Actually, I think there is a potentially interesting issue here:
> RC4 is faster and requires significantly fewer resources than
> modern block ciphers. As a result, people would really like to use
> it - and actually they *will* continue
On Sep 17, 2013, at 11:54 AM, "Perry E. Metzger" wrote:
> I'd like to note quite strongly that (with certain exceptions like
> RC4) the odds of wholesale failures in ciphers seem rather small
> compared to the odds of systems problems like bad random number
> generators, sabotaged accelerator hard
Weeks after the informal announcement, the Taiwanese National ID
smartcard break is finally getting press. It is a great example of
a piece of "certified" crypto hardware that works poorly because
of bad random number generation.
Good explanation for your technical but not security oriented friend
40 matches
Mail list logo