Re: identification + Re: authentication and authorization

sing) TV ads by CitiBank. With high regards, Aram Perez [snip] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: New Attack on Secure Browsing

o displayed on the address bar (and tab) when you go to there site, see http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the question. Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sendi

Re: should you trust CAs? (Re: dual-use digital signature vulnerability)

nother certificate with the same email. I can repeat this until I'm bankrupt and Verisign will gladly accept my money. I agree with Michael H. If you trust the CA to issue a cert, it's not that much more to trust them with generati

Re: should you trust CAs? (Re: dual-use digital signature vulnerability)

Hi Adam, > From: Adam Back <[EMAIL PROTECTED]> > Date: Fri, 30 Jul 2004 17:54:56 -0400 > To: Aram Perez <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED], Cryptography <[EMAIL PROTECTED]>, Adam > Back <[EMAIL PROTECTED]> > Subject: Re: should you

Re: Al Qaeda crypto reportedly fails the test

Hi Chris, > Steven M. Bellovin writes: > >> http://www.petitcolas.net/fabien/kerckhoffs/index.html for the actual >> articles.) > > Does there exist an English translation (I'd be surprised if not)? If > not, I'd be happy to provide one if there were sufficient interest. I'd be interested in an

Is 3DES Broken?

effect as his "time at present is limited and valuable". He claims that "the specifics were already posted on this and several other similar forums". Other than Ross Anderson and his students extracting a 3DES key from an IBM4758, has 3DES been in fact broken? Thank you, Ara

Blowsearch Secured Messanger

BSM must be very secure! Quote from the web site: " Blowsearch Secured Messenger utilizes the OpenSSL library to provide encryption routines for your Instant Messages. We use a combination of randomly selected schemes and bit lengths, ranging up to 4096 bits, with additional algorithms added in

Re: ID "theft" -- so what?

garnered the most business/ economic support. Respectfully, Aram Perez On Jul 14, 2005, at 6:19 AM, Perry E. Metzger wrote: Ian Grigg <[EMAIL PROTECTED]> writes: It's 2005, PKI doesn't work, the horse is dead. He's not proposing PKI, but nymous accounts. The account is t

Re: the limits of crypto and authentication

our customers had SET wallets installed on their PCs before selling a product? Or were you going to sell to anyone who used a web browser that supported SSL? It was very simple economics, even if you had to pay VeriSign $400 for your SSL certificate and pay Visa/MasterCard a higher

Re: the limits of crypto and authentication

e certs for the consumers. The client-merchant protocol supported clients without certs. Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Motorist wins case after maths whizzes break speed camera code

above the speed limit). Just my 2 centavos, Aram Perez - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

High-risk flaws in Skype

- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Skype Patches Critical Flaws

Skype Patches Critical Flaws Skype users are being urged to upgrade to the latest version of the Internet telephony client, due to a number of critical flaws in the software that were disclosed by Skype's maker, Skype Technologies SA. -

Another Skype Study

Don't recall seeing this on the list: <http://www.ossir.org/windows/ supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf> Enjoy, Aram Perez - The Cryptography Mailing List Unsubscribe by sending "unsubscribe

Web Browser Developers Work Together on Security

Core KDE developer George Staikos recently hosted a meeting of the security developers from the leading web browsers. The aim was to come up with future plans to combat the security risks posed by phishing, ageing encryption ciphers and inconsistent SSL Certificate practise. Read on for Geo

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

bable storm as a (million dollar) yacht. There is no such thing as "one-size encryption system fits all cases". Regards, Aram Perez - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: X.509 / PKI, PGP, and IBE Secure Email Technologies

, and if it does not it is a bad encryption system. Aram Perez I'm sorry James, but you can't expect a (several hundred dollar) rowboat to resist the same probable storm as a (million dollar) yacht. Software is cheaper than boats - the poorest man can afford the strongest encrypti

Re: CD shredders, was Re: thoughts on one time pads

On Feb 1, 2006, at 3:50 AM, Travis H. wrote: On 1/28/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: In our office, we have a shredder that happily takes CDs and is designed to do so. It is noisy and cost >$500. Here's one for $40, although it doesn't appear to "shred" them so much as make

Re: passphrases with more than 160 bits of entropy

numbers 0 - 255 have maximum entropy but have no randomness (although there is finite probability that a RNG will produce the sequence). Regards, Aram Perez - The Cryptography Mailing List Unsubscribe by sending "unsubscri

Re: passphrases with more than 160 bits of entropy

On Mar 22, 2006, at 9:04 AM, Perry E. Metzger wrote: Aram Perez <[EMAIL PROTECTED]> writes: Entropy is a highly discussed unit of measure. And very often confused. Apparently. While you do want maximum entropy, maximum entropy is not sufficient. The sequence of the consecutive num

Entropy Definition (was Re: passphrases with more than 160 bits of entropy)

er) When the original poster requested "passphrases with more than 160 bits of entropy", what was he requesting? * Does processing an 8 character password with a process similar to PKCS#5 increase the entropy of the password? * Can you add or increase entropy?

Why phishing works

I don't recall seeing this here, but a friend sent me the following link: <http://people.deas.harvard.edu/~rachna/papers/ why_phishing_works.pdf> Enjoy, Aram Perez - The Cryptography Mailing List Unsubscribe

Re: Chinese WAPI protocol?

Hi Richard, I have not looked at WAPI, but they have been trying to get it approved for a number of years, check out <http://en.wikipedia.org/wiki/WAPI> (has link to algorithm) and <http://www.foxnews.com/story/0,2933,199082,00.html>. Regards, Aram Perez On Monday, June 12, 2006

Re: Chinese WAPI protocol?

Hi Folks, My apologies on stating that the Wiki page had a link to the algorithm. I saw the link but didn't click on it to see if in fact there was a description of the actual algorithm. Regards, Aram Perez On Monday, June 12, 2006, at 06:45PM, David Wagner <[EMAIL PROTECTED]> wr

Re: EMC is buying RSA

other version of the story: news.moneycentral.msn.com/ticker/article.asp?Feed=BW&Date=20060629&ID =5836046&Symbol=US:RSAS> Regards, Aram Perez - The Cryptography Mailing List Unsubscribe by sending "unsubscrib

Interesting paper on PKI and TRUSTe

nding organic search results for the same search terms. See http://www.benedelman.org/publications/advsel-trust-draft.pdf Enjoy, Aram Perez - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

AES128-CBC Question

Hi Folks, Is there any danger in using AES128-CBC with a fixed IV of all zeros? This is being proposed for a standard "because that's how SD cards implemented it". Thanks, Aram Perez - The Cryptography Mailing L

More info in my AES128-CBC question

experience. As I mentioned, the response to my question of why would we standardize this was "that's how SD cards do it". I'll look at the references and hopefully convince enough people that it's a bad idea. Thanks again, Aram Perez --

Re: More info in my AES128-CBC question

128 session encryption key SK, an HMAC- SHA-1 message integrity key MK and either a counter or IV Either AES-CTR or AES-CBC will be support 3) Data needing confidentiality is encrypted with the SK in the mode selected in step 1. The messa

Change of Heart WRT to a Fixed IV of 0's

Hi Folks, The latest version the document, where the use of a fixed IV of zeros was originally proposed, now has a regular random IV. Thanks for all the support, Aram Perez - The Cryptography Mailing List Unsubscribe by

Re: More info in my AES128-CBC question

Hi Nico, On Apr 23, 2007, at 8:11 AM, Nicolas Williams wrote: On Sun, Apr 22, 2007 at 05:59:54PM -0700, Aram Perez wrote: No, there will be message integrity. For those of you asking, here's a high level overview of the protocol is as follows: [...] 3) Data needing confidentiali

The best riddle you wil hear today...

- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Quantum Cryptography

Hi Folks, On a legal mailing list I'm on there is a bunch of emails on the perceived effects of quantum cryptography. Is there any authoritative literature/links that can help clear the confusion? Thanks in advance, Aram

Fwd: Potential SHA 1 Hack Using Distributed Computing - Near Miss(es) May be Good Enough

Anyone know more about this? Begin forwarded message: From: "Steven W. Teppler" Date: August 13, 2007 4:41:56 PM PDT To: [EMAIL PROTECTED] Subject: Potential SHA 1 Hack Using Distributed Computing - Near Miss(es) May be Good Enough From DarkReading, via Heise Security: Cracking SHA-1 usin

Another Snake Oil Candidate

The world's most secure USB Flash Drive: . - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Another Snake Oil Candidate

Hi Jon, On Sep 11, 2007, at 5:35 PM, Jon Callas wrote: I'm a beta-tester for it, and while I can understand a small twitch when they talk about "miltary" and "beyond military" levels of security, it is very cool. It has hardware encryption and will erase itself if there are too many pass

Re: Another Snake Oil Candidate

ually do live up to their own web site or not. I ran across the company because they had an ad on a web page I had visited. Their ad raise my curiosity and I looked at their web site. I stand by my opinion that they are selling security snake oil. They imply that you can use an IronKe

Re: flavors of reptile lubricant, was Another Snake Oil Candidate

nobabble, Experienced Security Experts, "Military Grade" and to a certain extend Unbreakability (normally applied to software, but IronKey claims the epoxy prevents "criminals from getting to the internal hardware components"). Respectfully, Aram Perez -

Re: OK, shall we savage another security solution?

Hi Jerry, On Tuesday, September 18, 2007, at 07:24PM, "Leichter, Jerry" <[EMAIL PROTECTED]> wrote: >Anyone know anything about the Yoggie Pico (www.yoggie.com)? It claims >to do much more than the Ironkey, though the language is a bit less >"marketing-speak". On the other hand, once I got thro

Spammers employ stripper to crack CAPTCHAs

'Melissa' disrobes in ploy that relies on people, not CPUs, to crack squiggly codes October 30, 2007 (Computerworld) -- Spammers are using a virtual stripper as bait to dupe people into helping criminals crack codes they need to send more spam or boost the rankings of parasitic Web sites,

Re: ITU-T recommendations for X.509v3 certificates

ons (mostly in the TLS, S/MIME area)? I can't help you there. You can see my opinion on this issue towards the middle of Peter Gutmann's page at <http://www.cs.auckland.ac.nz/~pgut001/ >. Regards, Aram Perez ---

Italian Bank's XSS Opportunity Seized by Fraudsters

Anyone know more about this ? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PRO

Re: Dutch Transport Card Broken

ed by the reader. Regards, Aram Perez - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Book Review

Hi Folks, Does anyone have a review on the upcoming book "Modern Cryptanalysis: Techniques for Advanced Code Breaking" by Christopher Swenson? Thanks, Aram Perez - The Cryptography Mailing List Unsubscribe