Because not being fast enough means you don't ship. You don't ship, you
didn't secure anything.
Performance will in fact trump security. This is the empirical reality.
There's some budget for performance loss. But we have lots and lots of
slow functions. Fast is the game.
(Now, whether my theo
Dan,
>
> I looked at the GNFS runtime and plugged a few numbers in. It seems
> RSA Security is using a more conservative constant of about 1.8 rather
> than the suggested 1.92299...
>
> See:
> http://mathworld.wolfram.com/NumberFieldSieve.html
>
> So using 1.8, a 1024 bit RSA key is roughly equiva
All,
I've got a "perfect vs. good" question.
NIST is pushing RSA-2048. And I think we all agree that's probably a
good thing.
However, performance on RSA-2048 is too low for a number of real world
uses.
Assuming RSA-2048 is unavailable, is it worth taking the intermediate
step of u
Eric Rescorla wrote:
At Fri, 8 Aug 2008 17:31:15 +0100,
Dave Korn wrote:
Eric Rescorla wrote on 08 August 2008 16:06:
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
However, since the CRLs will almost certainly not be checked, this
means the site will still be vulnerabl
Peter Gutmann wrote:
> "David G. Koontz" <[EMAIL PROTECTED]> writes:
>
>
>> Military silicon already has RNG on chip (e.g. AIM, Advanced INFOSEC Machine,
>> Motorola),
>>
>
> That's only a part of it. Military silicon has a hardware RNG on chip
> alongside a range of other things because
>> (as if anyone uses client certificates anyway)?
>>
>
> Guess why so few people are using it ...
> If it were secure, more people would be able to use it.
>
>
People don't use it because the workload of getting signed up is vastly
beyond their skillset, and the user experience using the
> Crypto solves certain problems very well. Against others, it's worse
> than useless -- "worse", because it blocks out friendly IDSs as well as
> hostile parties.
>
>
Yawn. IDS is dead, has been for a while now. The bottom line discovery
has been that:
1) Anomaly detection doesn't work bec
Ben Laurie wrote:
I wrote some code to show the internal state of MD5 during a collision...
http://www.shmoo.com/md5-collision.html
Cheers,
Ben.
Ben--
http://www.doxpara.com/md5_anim.gif
Thpt ;)
(That being said -- I do like your output. Very nice.)
--Dan
---
This is yet more reason why I propose that you authorize transactions
with public keys and not with the use of identity information. The
identity information is widely available and passes through too many
hands to be considered "secret" in any way, but a key on a token never
will pass through a
A quick question to anyone who might be in the banking industry.
Why do banks not collect simple biometric information like photographs
of their customers yet?
Bank Of America put my photo on my ATM card back in '97. They're
shipping me a new one right now, so I assume they kept it in the
Jerrold Leichter wrote:
| > Credit card fraud has gone *down* since 1992, and is actually falling:
| >
| > 1992: $2.6B
| > 2003: $882M
| > 2004: $788M
| >
| > We're on the order of 4.7 cents on the $100.
| >
| >
http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm
I'm think you wrong on that one. Financial cost and benefit are easily
assessed on this, and I think the numbers add up. Credit card fraud
costs in the hundreds of billions of dollars a year, much of which
could be eliminated by a change to the sort of system I
mention. That's not a small amount
So the funny thing about, say, SHA-1, is if you give it less than 160
bits of data, you end up expanding into 160 bits of data, but if you
give it more than 160 bits of data, you end up contracting into 160 bits
of data. This works of course for any input data, entropic or not.
Hash saturation?
Ah! I was looking for this info, and finally found it in something I
posted in an old gadget blog. Short version, biometric hashes are
reversable, since the algorithms provide confidence levels and you can
always alter towards higher confidence.
---
It is repeated that hashes generated by biomet
>If you are insisting that there is always
>a way and that, therefore, the situation is
>permanently hopeless such that the smart
>ones are getting the hell out of the
>Internet, I can go with that, but then
>we (you and I) would both be guilty of
>letting the best be the enemy of the good.
>
>
>Suppose you have something that is inadvertently an
>oracle - it encrypts stuff from many different users
>preparatory to sending it out over the internet, and
>makes no effort to strongly authenticate a user.
>
>Have it encrypt stuff into a buffer, and on a timer
>event, send out the buffer.
>
>
Dan--
I had something much more complicated, but it comes down to.
You trust Internet Explorer.
Spyware considers Internet Explorer crunchy, and good with ketchup.
Any questions?
A little less snarkily, Spyware can trivially use what MS refers to
as a Browser Helper Object (B
>2) The cost in question is so small as to be unmeasurable.
>
>
>
Yes, because key management is easy or free.
Also, reliability of encrypted backups is problematic: CBC modes render
a single fault destructive to the entire dataset. Counter mode is
sufficiently new that it's not supported by
>"The likelihood of having the information compromised is very remote given
>the type of equipment that is required to read it," Debby Hopkins,
>Citigroup's chief operations and technology officer, said in an interview.
>"Additionally, the information is not in a format that an untrained eye
>woul
>From what I've heard, datapath to the disk. I've read enough of the
specs to see they're well aware a worm could brick a couple hundred
thousand hard drives.
--Dan
James A. Donald wrote:
>Every ATA disk contains encryption firmware, though not
>all bioses allow you to use it.
>
>There is a ma
>Have you looked at their scheme?
> http://www.securescience.net/ciphers/csc2/
>The way to come up with a cipher provably as secure as AES-128 is to use
>AES-128 as part of your cipher -- but their scheme does not do anything
>like that.
>
>I am very skeptical about claims that they have a mathem
Ian,
The Wang attack does nothing (yet) for second preimages.
The best attack I know of against them refers is in Kelsey and
Schneier's "*Second Preimages on n-bit Hash Functions for Much Less than
2^n Work".* It's at: http://eprint.iacr.org/2004/304
Once you cut through the verbia
Steven M. Bellovin wrote:
>We all understand the need to move to better hash algorithms than SHA1.
>At a minimum, people should be switching to SHA256/384/512; arguably,
>Whirlpool is the right way to go. The problem is how to get there from
>here.
>
>
I've been rather continually pinging pe
Ben,
x can equal either test vector released by Wang, and H(x) will be
identical. With H(x) identical, the rest of the HMAC stays identical too.
As a couple people pointed out, it's OK that HMAC is "vulnerable" to
the Wang attack, since in order to execute the attack the key is
required
Re, GDBE--
Some initial thoughts:
I wouldn't be surprised if platters couldn't be analyzed for usage
levels / magnetic degradation (Peter?). Even without a clean room, ATA
is pretty rich -- anyone remember the guy who graphically plotted the
spiral damage caused by a falled drive head w/
>The description has virtually nothing to do with the actual algorithm
>proposed. Follow the link in the article - http://www.stealth-attacks.info/ -
>for an actual - if informal - description.
>
>
There is no actual description publically available (there are three
completely different proto
Ben Laurie wrote:
> Dan Kaminsky wrote:
>
>> The x.509 cert collision is a necessary consequence of the earlier
>> discussed prime/not-prime collision. Take the previous concept, make
>> both prime, and surround with the frame of an x.509 cert, and you get
>>
Ben,
Semantic gap, and I do apologize if I didn't make this clear. Wang
adapts to any initial state, so you can create arbitrary content to
prepend your collision set with, adapt to its output, and then append
whatever you like. The temporal ordering is indeed important though;
you can't cre
>
> My complaint is against the parroting of patently absurd claims by
> manufacturers (or governments, for that matter) under the guide of
> journalism.
>
> If you need the reason to be concrete, here's one: I might buy this
> magic water and apply it to some of my stuff, figuring I don't have to
>
> No, that's not what it says. It says that "Note that padding rules
> were not applied to the message." This is exactly the same as the
> previous breaks; it just means that the collision appears in the
> chaining output... if you just append anything at all to the end of
> the texts, and pad i
Matt Crawford wrote:
>
> On Feb 15, 2005, at 12:40, R.A. Hettinga wrote:
>
>> Instant, is a property-marking fluid that, when
>> brushed on items like office equipment or motorcycles, tags them with
>> millions of tiny fragments, each etched with a unique SIN (SmartWater
>> identification number)
>and what about HMAC-SHA1 ? Is it reducing the operation required by
>the same factor or as the structure of HMAC is so different that the
>attack is very unlikely to be practical ?
>
>
Depends if you care about HMAC collisions being computationally
infeasible or not. The attack against MD
It is worth emphasizing that, as a 2^69 attack, we're not going to be
getting test vectors out of Wang. After all, if she had 2^69
computation available, she wouldn't have needed to attack MD5; she could
have just brute forced it in 2^64.
This means the various attacks in the MD5 Someday paper ar
Digital certificates can be explained as digital passports, which help in
authentication of the bearer on the Internet. This also helps maintain,
privacy and integrity of Net-based transactions. Digital signatures are
accorded the same value as paper-based signatures of the physical world by
the I
Actually it's not that bad: using SIP, the RTP packets can be protected by
SRTP (RFC3711, with an opensource implementation from Cisco at
http://srtp.sourceforge.net/ )
SRTP...heh. Take a look at RFC3711 for a second.
"
Specification of a key management protocol for SRTP is out of scope
here.
The best that can happen with TCPA is pretty good -
it could stop a lot of viruses and malware, for one
thing.
No, it can't. That's the point; it's not like the code running inside
the sandbox becomes magically exploitproof...it just becomes totally
opaque to any external auditor. A black h
Uh, you *really* have no idea how much the black hat community is
looking forward to TCPA. For example, Office is going to have core
components running inside a protected environment totally immune to
antivirus.
How? TCPA is only a cryptographic device, and some BIOS code, nothing
else. Does
Uh, you *really* have no idea how much the black hat community is
looking forward to TCPA. For example, Office is going to have core
components running inside a protected environment totally immune to
antivirus. Since these components are going to be managing
cryptographic operations, the "we
tworks under the global search hash.
I hope this paper proves useful to the security community at large, and
I welcome feedback.
--Dan Kaminsky
www.doxpara.com
[EMAIL PROTECTED]
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
39 matches
Mail list logo
