On Sat, 25 Oct 2008, John Denker wrote:
| On 10/25/2008 04:40 AM, IanG gave us some additional information.
|
| Even so, it appears there is still some uncertainty as to
| interpretation, i.e. some uncertainty as to the requirements
| and objectives.
|
| I hereby propose a new scenario. It is
On Tue, 28 Oct 2008, John Denker wrote:
| Date: Tue, 28 Oct 2008 12:09:04 -0700
| From: John Denker [EMAIL PROTECTED]
| To: Leichter, Jerry [EMAIL PROTECTED],
| Cryptography cryptography@metzdowd.com
| Cc: IanG [EMAIL PROTECTED]
| Subject: Re: combining entropy
|
| On 10/28/2008 09:43 AM
On Sun, 21 Sep 2008, Eric Rescorla wrote:
| - Use TLS-PSK, which performs mutual auth of client and server
| without ever communicating the password
| Once upon a time, this would have been possible, I think. Today,
| though, the problem is the user entering their key in a box that is
|
On Fri, 19 Sep 2008, Barney Wolff wrote:
| Date: Fri, 19 Sep 2008 01:54:42 -0400
| From: Barney Wolff [EMAIL PROTECTED]
| To: EMC IMAP [EMAIL PROTECTED]
| Cc: Cryptography cryptography@metzdowd.com
| Subject: Re: Cookie Monster
|
| On Wed, Sep 17, 2008 at 06:39:54PM -0400, EMC IMAP wrote:
| Yet
On Thu, 11 Sep 2008, Peter Gutmann wrote:
| ...I've been (very informally) tracking it for awhile, and for generic
| data (non-Platinum credit cards, PPal accounts, and so on) it's
| essentially too cheap to meter, you often have to buy the stuff
| in blocks (10, 20, 50 at a time) to make it worth
| | My theory is that no actual security people have ever been involved,
| | that it's just another one of those stupid design practices that are
| | perpetuated because nobody has ever complained or that's what
| | everybody is doing.
|
| Your theory is incorrect. There is considerable
On Fri, 8 Aug 2008, Dave Korn wrote:
| Isn't this a good argument for blacklisting the keys on the client
| side?
|
| Isn't that exactly what Browsers must check CRLs means in this
| context anyway? What alternative client-side blacklisting mechanism
| do you suggest?
Since the list of bad
| Funnily enough I was just working on this -- and found that we'd
| end up adding a couple megabytes to every browser. #DEFINE
| NONSTARTER. I am curious about the feasibility of a large bloom
| filter that fails back to online checking though. This has side
| effects but perhaps
| You can get by with a lot less than 64 bits. People see problems
| like this and immediately think birthday paradox, but there is no
| birthday paradox here: You aren't look for pairs in an
| ever-growing set, you're looking for matches against a fixed set.
| If you use 30-bit hashes -
On Thu, 7 Aug 2008, John Ioannidis wrote:
| Does anyone know how this security questions disease started, and
| why it is spreading the way it is? If your company does this, can you
| find the people responsible and ask them what they were thinking?
|
| My theory is that no actual security
On Wed, 6 Aug 2008, Peter Saint-Andre wrote:
| Wells Fargo is requiring their online banking customers to provide
| answers to security questions such as these:
|
| ***
|
| What is name of the hospital in which your first child was born?
| What is your mother's birthday? (MMDD)
| What is the
For an interesting discussion of IPETEE, see:
www.educatedguesswork.org/moveabletype/archives/2008/07/ipetee.html
Brief summary: This is an initial discussion - the results of a
drinking session - that got leaked as an actual proposal. The
guys behind it are involved with The Pirate Bay. The
On Tue, 8 Jul 2008, Perry E. Metzger wrote:
| Has anyone had any real-world experience with these yet? Are there
| standards for how they get the keys from the BIOS or OS? (I'm
| interested in how they deal with zeroization on sleep and such.)
|
| Most manufacturer (will) implement the TCG
| ...Obviously patents could be improved by searching further across
| disciplines for prior art and by having more USPTO expertise. We're
| also seeing a dumbing down of the 'Persons Having Ordinary Skill In
| the Art' as the number of practitioners expand rapidly.
Patent law and its
Ah, where the web is going. 8e6 Technologies sells a hardware box
that it claims does signature analysis to detect HTTP proxies and
blocks them. It can also block HTTPS proxies that do not have a
valid certificate (whatever that means), as well as do such things
as block IM, force Google and
On Wed, 2 Jul 2008, Peter Gutmann wrote:
| Date: Wed, 02 Jul 2008 12:08:18 +1200
| From: Peter Gutmann [EMAIL PROTECTED]
| To: [EMAIL PROTECTED], [EMAIL PROTECTED]
| Cc: cryptography@metzdowd.com, [EMAIL PROTECTED]
| Subject: Re: Strength in Complexity?
|
| Perry E. Metzger [EMAIL PROTECTED]
| The key size would imply PKI; that being true, then the ransom may
| be for a session key (specific per machine) rather than the master
| key it is unwrapped with.
|
| Per the computerworld.com article:
|
|Kaspersky has the public key in hand ? it is included in the
|Trojan's code ?
| Why are we wasting time even considering trying to break the public key?
|
| If this thing generates only a single session key (rather, a host key)
| per machine, then why is it not trivial to break? The actual encryption
| algorithm used is RC4, so if they're using a constant key without
| SNMPv3 Authentication Bypass Vulnerability
|
|Original release date: June 10, 2008
|Last revised: --
|Source: US-CERT
|
| Systems Affected
|
| * Multiple Implementations of SNMPv3
|
| Overview
|
| A vulnerability in the way implementations of SNMPv3 handle specially
|
Computerworld reports:
http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818
on a call from Kaspersky Labs for help breaking encryption used by some
ransomeware: Code that infects a system, uses a public key embedded in
the code to encrypt your files, then
On Mon, 9 Jun 2008, John Ioannidis wrote:
| Date: Mon, 09 Jun 2008 15:08:03 -0400
| From: John Ioannidis [EMAIL PROTECTED]
| To: Leichter, Jerry [EMAIL PROTECTED]
| Cc: cryptography@metzdowd.com
| Subject: Re: Ransomware
|
| Leichter, Jerry wrote:
| Computerworld reports:
|
|
http
On Wed, 4 Jun 2008, Perry E. Metzger wrote:
| As some of you know, one can now buy Enhanced Security certificates,
| and Firefox and other browsers will show the URL box at the top with a
| special distinctive color when such a cert is in use.
|
| Many of us have long contended that such things
| There's an option 2b that might be even more practical: an S/MIME or
| PGP/MIME forwarder. That is, have a trusted party receive your mail,
| but rather than forwarding it intact encrypt it and then forward it to
| your favorite IMAP provider.
Excellent idea! I like it.
Of course, it's
At one time, mail delivery was done to the end-user's system, and all
mail was stored there. These days, most people find it convenient to
leave their mail on a IMAP server: It can be accessed from anywhere,
it can be on a system kept under controlled conditions (unlike a
laptop), and so on.
Note the reference to recent results on spiking hardware. (From some
IDG journal - I forget which.)
-- Jerry
-- Forwarded message --
FBI Worried as DoD Sold Counterfeit Networking Gear
Stephen Lawson and Robert McMillan,
An interesting datapoint I've always had on this question: Back in 1975
or so, a mathematician I knew (actually, he was a friend's PhD advisor)
left academia to go work for the NSA. Obviously, he couldn't say
anything at all about what he would be doing.
The guy's specialty was algebraic
On Thu, 8 May 2008, Perry E. Metzger wrote:
| Quoting:
|
|It was one of the most iconic and heart-stopping movie images of
|2003: the Columbia Space Shuttle ignited, burning and crashing to
|earth in fragments.
|
|Now, amazingly, data from a hard drive recovered from the
On Fri, 9 May 2008, Ali, Saqib wrote:
| Edwards said the Seagate hard drive -- which was
| about eight years old in 2003 -- featured much
| greater fault tolerance and durability than current
| hard drives of similar capacity.
|
| I am not so sure about this
On Mon, 28 Apr 2008, Ryan Phillips wrote:
| Matt's blog post [1] gets to the heart of the matter of what we can
| trust.
|
| I may have missed the discussion, but I ran across Netronome's 'SSL
| Inspector' appliance [2] today and with the recent discussion on this
| list regarding malicious
On Sat, 26 Apr 2008, Karsten Nohl wrote:
| Assuming that hardware backdoors can be build, the interesting
| question becomes how to defeat against them. Even after a particular
| triggering string is identified, it is not clear whether software can
| be used to detect malicious programs. It almost
On Mon, 28 Apr 2008, Ed Gerck wrote:
| Leichter, Jerry wrote:
| I suspect the only heavy-weight defense is the same one we use against
| the Trusting Trust hook-in-the-compiler attack: Cross-compile on
| as many compilers from as many sources as you can, on the assumption
| that not all
On Thu, 24 Apr 2008, Jacob Appelbaum wrote:
| Perry E. Metzger wrote:
| A pretty scary paper from the Usenix LEET conference:
|
| http://www.usenix.org/event/leet08/tech/full_papers/king/king_html/
|
| The paper describes how, by adding a very small number of gates to a
| microprocessor
| Date: Thu, 24 Apr 2008 16:22:34 +
| From: Steven M. Bellovin [EMAIL PROTECTED]
| To: cryptography@metzdowd.com
| Subject: Declassified NSA publications
|
| http://www.nsa.gov/public/crypt_spectrum.cfm
Interesting stuff. There's actually more there in some parallel
directories - there's an
On Wed, 23 Apr 2008, Alexander Klimov wrote:
| Date: Wed, 23 Apr 2008 12:53:56 +0300 (IDT)
| From: Alexander Klimov [EMAIL PROTECTED]
| To: Cryptography cryptography@metzdowd.com
| Subject: no possible brute force Was: Cruising the stacks and finding stuff
|
| On Tue, 22 Apr 2008, Leichter
| ...How bad is brute force here for AES? Say you have a chip that can do
| ten billion test keys a second -- far beyond what we can do now. Say
| you have a machine with 10,000 of them in it. That's 10^17 years worth
| of machine time, or about 7 million times the lifetime of the universe
| so
Anyone know anything about a company called 2factor (2factor.com)?
They're pushing a system based on symmetric cryptography with, it
appears, some kind of trusted authority. Factor of 100 faster
than SSL. More secure, because it authenticates every message.
No real technical data I can find on
| They extended the confirmation-of-a-file attack into the
| learn-partial-information attack. In this new attack, the
| attacker learns some information from the file. This is done by
| trying possible values for unknown parts of a file and then
| checking whether the result
|...Convergent encryption renders user files vulnerable to a
|confirmation-of-a-file attack. We already knew that. It also
|renders user files vulnerable to a learn-partial-information
|attack in subtle ways. We didn't think of this until now. My
|search of the literature
| As if the latest research (which showed that RAM contents can be
| recovered after power-down) was not enough, it seems as Firewire ports
| can form yet an easier attack vector into FDE-locked laptops.
|
| Windows hacked in seconds via Firewire
|
| So at the company I work for, most of the internal systems have
| expired SSL certs, or self-signed certs. Obviously this is bad.
|
| You only think this is bad because you believe CAs add some value.
|
| Presumably the value they add is that they keep browsers from popping
| up scary
| Hi,
|
| This may be out of the remit of the list, if so a pointer to a more
| appropriate forum would be welcome.
|
| In Applied Crypto, the use of padding for CBC encryption is suggested
| to be met by ending the data block with a 1 and then all 0s to the end
| of the block size.
|
| Is this
| ...I imagine this will eventually have a big impact on the way organizations
| respond to stolen mobile device incidents. With the current technology, if a
| laptop or mobile device is on when it's stolen, companies will need to assume
| that the data is gone, regardless of whether or not
| Their key recovery technique gets a lot of mileage from using the
| computed key schedule for each round of AES or DES to provide
| redundant copies of the bits of the key. If the computer cleared
| the key schedule storage, while keeping the key itself when the
| system is in sleep mode, or
|SAN FRANCISCO -- Toshiba Corp. has claimed a major breakthrough in
|the field of security technology: It has devised the world's
|highest-performance physical random-number generator (RNG)
|circuit.
|
|The device generates random numbers at a data rate of 2.0 megabits
|a
Today's Dilbert -
http://www.unitedmedia.com/comics/dilbert/archive/images/dilbert23667240080211.gif
is right on point
-- Jerry
-
The Cryptography Mailing List
| By the way, it seems like one thing that might help with client certs
| is if they were treated a bit like cookies. Today, a website can set
| a cookie in your browser, and that cookie will be returned every time
| you later visit that website. This all happens automatically. Imagine
| if a
| - Truncate the MAC to, say, 4 bytes. Yes, a simple brute
| force attack lets one forge so short a MAC - but
| is such an attack practically mountable in real
| time by attackers who concern you?
|
| In fact, 32-bit authentication tags are a feature
| So, this issue has been addressed in the broadcast signature context
| where you do a two-stage hash-and-sign reduction (cf. [PG01]), but
| when this only really works because hashes are a lot more efficient
| than signatures. I don't see why it helps with MACs.
Thanks for the reference.
|
Commenting on just one portion:
| 2. VoIP over DTLS
| As Perry indicated in another message, you can certainly run VoIP
| over DTLS, which removes the buffering and retransmit issues
| James is alluding to. Similarly, you could run VoIP over IPsec
| (AH/ESP). However, for performance reasons,
Anyone know anything about these guys? (www.vaultid.com). They
are trying to implement one-time credit card numbers on devices
you take with you - initially cell phones and PDA's, eventually in
a credit card form factor. The general idea seems good, but their
heavy reliance on fingerprint
| http://www.google.com/patents?vid=USPAT6993661
|
| Gee, the inventor is Simson Garfinkel, who's written a bunch of books
| including Database Nation, published in 2000 by O'Reilly, about all
| the way the public and private actors are spying on us.
|
| I wonder whether this was research to see
| Date: Fri, 04 Jan 2008 16:38:07 +1300
| From: Peter Gutmann [EMAIL PROTECTED]
| To: cryptography@metzdowd.com
| Subject: DRM for batteries
|
| http://www.intersil.com/cda/deviceinfo/0,1477,ISL6296,0.html
|
| At $1.40 each (at least in sub-1K quantities) you wonder whether it's
| costing them
Virtualization has become the magic pixie dust of the decade.
When IBM originally developed VMM technology, security was not a primary
goal. People expected the OS to provide security, and at the time it
was believed that OS's would be able to solve the security problems.
As far as I know, the
| So... supposing I was going to design a crypto library for use within
| a financial organization, which mostly deals with credit card numbers
| and bank accounts, and wanted to create an API for use by developers,
| does anyone have any advice on it?
|
| It doesn't have to be terribly complete,
| The whole point of a notary is to bind a document to a person. That
| the person submitted two or more different documents at different
| times is readily observable. After all, the notary has the
| document(s)!
|
| No, the notary does not have the documents *after* they are notarized,
|
| It is, of course, the height of irony that the bug was introduced in
| the very process, and for the very purpose, of attaining FIPS
| compliance!
|
| But also to be expected, because the feature in question is
| unnatural: the software needs a testable PRNG to pass the compliance
| tests,
| Then the compiler can look at the implementation and prove that a
| memset() to a dead variable can be elided
|
| One alternative is to create zero-ing functions that wrap memset()
| calls with extra instructions that examine some of the memory, log a
| message and exit the application if
| However, that doesn't say anything about whether f is actually
| invoked at run time. That comes under the acts as if rule: If
| the compiler can prove that the state of the C (notional) virtual
| machine is the same whether f is actually invoked or not, it can
| elide the call. Nothing
| If the function is defined as I suggested - as a static or inline -
| you can, indeed, takes its address. (In the case of an inline, this
| forces the compiler to materialize a copy somewhere that it might
| not otherwise have produced, but not to actually *use* that copy,
| except when
| Exactly what makes this problem so difficult eludes me, although one
| suspects that the savage profit margins on consumables like
| keyboards and mice might have something to do with it.
|
| It's moderately complex if you're trying to conserve bandwidth (which
| translates to power) and
| There was a discussion on this list a year or two back about
| problems in using memset() to zeroise in-memory data, specifically
| the fact that optimising compilers would remove a memset() on
| (apparently) dead data in the belief that it wasn't serving any
| purpose.
|
| Then,
| What does it say about the integrity of the FIPS program, and its CMTL
| evaluation process, when it is left to competitors to point out
| non-compliance of evaluated products -- proprietary or open source --
| to basic architectural requirements of the standard?
I was going to ask the same
Flylogic Engineering does some very interesting tampering with tamper-
resistant parts. Most of those secure USB sticks you see around won't
last more than a couple of minutes with these guys.
See http://www.flylogic.net/blog
-- Jerry
Little progress on government-wide smart card initiative, and little
surprise
November 14, 2007 (Computerworld) More than three years after a
presidential directive requiring federal government agencies to issue
new smart-card identity credentials to all employees and contractors,
progress on
Sometimes the side-effects are as significant as the direct effects
-- Jerry
Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/7091206.stm
Fears over online banking checks
By Mark Ward
Technology Correspondent,
| Xerox Unveils Technology That Blocks Access to Sensitive Data in
| Documents to Prevent Security Leaks
| http://www.parc.com/about/pressroom/news/2007-10-15-redaction.html
|
| The Innovation: The technology includes a detection software tool that
| uses content analysis and an intelligent user
| Date: Sat, 13 Oct 2007 03:20:48 -0400
| From: Victor Duchovni [EMAIL PROTECTED]
| To: cryptography@metzdowd.com
| Subject: Re: Quantum Crytography to be used for Swiss elections
|
| On Fri, Oct 12, 2007 at 11:04:15AM -0400, Leichter, Jerry wrote:
|
| No comment from me on the appropriateness
| ... What's wrong with starting
| with input SALT || PASSWORD and iterating N times,
|
| Shouldn't it be USERID || SALT || PASSWORD to guarantee that if
| two users choose the same password they get different hashes?
| It looks to me like this wold make dictionary attacks harder too.
As
No comment from me on the appropriateness. From Computerworld.
-- Jerry
Quantum cryptography to secure ballots in Swiss election
Ellen Messmer
October 11, 2007 (Network World) Swiss officials are using quantum
cryptography technology
| A slightly off-topic question: if we accept that current processes
| (FIPS-140, CC, etc) are inadequate indicators of quality for OSS
| products, is there something that can be done about it? Is there a
| reasonable criteria / process that can be built that is more suitable?
Well, if you
| But, opportunistic cryptography is even more fun. It is
| very encouraging to see projects implement cryptography in
| limited forms. A system that uses a primitive form of
| encryption is many orders of magnitude more secure than a
| system that implements none.
|
| Primitive form -
Retail group takes a swipe at PCI, puts card companies 'on notice'
Jaikumar Vijayan
October 04, 2007 (Computerworld) Simmering discontent within the retail
industry over the payment card industry (PCI) data security standards
erupted into the open this week with the National Retail Federation
| I often say, Rub a pair of cryptographers together, and you'll
| get three opinions. Ask three, you'll get six opinions. :-)
|
| However, he's talking about security, which often isn't quantifiable!
From what I see in the arguments, it's more complicated than that.
On one side, we have
The movie studios live in fear of people stealing their product as it
all goes digital. There's, of course, always the analogue hole, the
point where the data goes to the display. The industry defined an
all-digital, all-licensed-hardware path through HDMI which blocks this
path. As we know,
| If you think about this in general terms, we're at the point where we
| can avoid having to trust the CPU, memory, disks, programs, OS, etc.,
| in the borrowed box, except to the degree that they give us access to
| the screen and keyboard. (The problem of securing connections that
| go
| Anyone know anything about the Yoggie Pico (www.yoggie.com)? It
| claims to do much more than the Ironkey, though the language is a bit
| less marketing-speak. On the other hand, once I got through the
| marketing stuff to the technical discussions at Ironkey, I ended up
| with much more in
Anyone know anything about the Yoggie Pico (www.yoggie.com)? It claims
to do much more than the Ironkey, though the language is a bit less
marketing-speak. On the other hand, once I got through the
marketing stuff to the technical discussions at Ironkey, I ended
up with much more in the way of
| The world's most secure USB Flash Drive: https://www.ironkey.com/demo.
What makes you call it snake oil? At least the URL you point to says
very reasonable things: It uses AES, not some home-brew encryption; the
keys are stored internally; the case is physically protected, and has
some kind of
| Between encrypted VOIP over WIFI and eventually over broadband cell -
| keeping people from running voice over their broadband connections is
| a battle the telco's can't win in the long run - and just plain
| encrypted cell phone calls, I think in a couple of years anyone who
| wants secure
| Crypto has been an IP minefield for some years. With the expiry of
| certain patents, and the availability of other unencumbered crypto
| primitives (eg. AES), we may see this change. But John's other
| points are well made, and still valid. Downloadable MP3 ring tones
| are a selling
So, you want to be able to prove in the future that you have some piece of
information today - without revealing that piece of information. We all
know how to do that: Widely publish today the one-way hash of the
information.
Well ... it turns out this idea is old. Very old. In the 17th
From CIO magazine. For the record, I, like the author, am a Bank of
America customer, but unlike her I've started using their on-line
services. What got me to do it was descriptions of the increasing
vulnerability of traditional paper-based mechanisms: If I pay a
credit card by mail, I leave
| | Given that all you need for this is a glorified pocket
| | calculator, you could (in large enough quantities) probably get
| | it made for $10, provided you shot anyone who tried to
| | introduce product-deployment DoS mechanisms like smart cards and
| | EMV into the picture. Now
All your data belong to us. From Computerworld.
-- Jerry
Trusted Computing Group turns attention to storage
Chris Mellor
June 24, 2007 (TechWorld.com) The Trusted Computing Group has announced
a draft specification aimed at helping
As always, banks look for ways to shift the risk of fraud to someone -
anyone - else. The New Zealand banks have come up with some interesting
wrinkles oh this process. From Computerworld.
-- Jerry
NZ banks demand a peek at customer PCs
| http://www.sciam.com/article.cfm?articleid=6670BF9B-E7F2-99DF-3EAC1C6DC382972F
|
| A company is selling a window film that blocks most RF signals. The
| obvious application is TEMPEST-shielding. I'm skeptical that it will
| be very popular -- most sites won't want to give up Blackberry and
|
| Leichter, Jerry writes:
| -+---
| | As always, banks look for ways to shift the risk of
| | fraud to someone - anyone - else. The New Zealand
| | banks have come up with some interesting wrinkles on
| | this process.
| |
|
| This is *not* a power play by banks
| ...Apple is one vendor who I gather does include a TPM chip on their
| systems, I gather, but that wasn't useful for me.
Apple included TPM chips on their first round of Intel-based Macs.
Back in 2005, there were all sorts of stories floating around the net
about how Apple would use TPM to
| - Quantum Cryptography is fiction (strictly claims that it solves
|an applied problem are fiction, indisputably interesting Physics).
|
| Well that is a broad (and maybe unfair) statement.
|
| Quantum Key Distribution (QKD) solves an applied problem of secure key
|
| Many protocols use some form of self describing data format, for
| example ASN.1, XML, S expressions, and bencoding.
|
| Why?
|
| Presumably both ends of the conversation have negotiated what protocol
| version they are using (and if they have not, you have big problems)
| and when they
Interesting-looking article on how users of P2P networks end up sharing
much more than they expected: http://weis2007.econinfosec.org/papers/43.pdf
-- Jerry
-
The
| Interesting-looking article on how users of P2P networks end up sharing
| much more than they expected: http://weis2007.econinfosec.org/papers/43.pdf
Earlier analysis by the USPTO:
http://www.uspto.gov/web/offices/dcom/olia/copyright/oir_report_on_inadvertent_sharing_v1012.pdf
| Just being able to generate traffic over the link isn't enough to
| carry out this attack.
|
| Well, it depends on if you key per-flow or just once for the link. If
| the latter, and you have the ability to create traffic over the link,
| and there's a 1-for-1 correspondence between
| | Frankly, for SSH this isn't a very plausible attack, since
| | it's not clear how you could force chosen plaintext into an
| | SSH session between messages. A later paper suggested that
| | SSL is more vulnerable: A browser plugin can insert data into
| | an SSL protected
| Frankly, for SSH this isn't a very plausible attack, since it's not
| clear how you could force chosen plaintext into an SSH session between
| messages. A later paper suggested that SSL is more vulnerable:
| A browser plugin can insert data into an SSL protected session, so
| might be
| Frankly, for SSH this isn't a very plausible attack, since it's not
| clear how you could force chosen plaintext into an SSH session between
| messages. A later paper suggested that SSL is more vulnerable:
| A browser plugin can insert data into an SSL protected session, so
| might be able
| It would be amusing if the HD-DVD encryption key that has been the
| subject of the recent pseudo-takedown notices were to show up in a
| T-shirt for sale.
|
| Now that services like Cafe Press exist, someone could start selling
| such shirts almost as fast as they could put together a nice
| What problem does this (chaining IV from message to message) introduce
| in our case?
|
| See RFC4251:
|
|
|Additionally, another CBC mode attack may be mitigated through the
|insertion of packets containing SSH_MSG_IGNORE. Without this
|technique, a specific attack may be
| What the RFC seems to be suggesting is that the first block of every
| message be SSH_MSG_IGNORE. Since the first block in any message is now
| fixed, there's no way for the attacker to choose it. Since the attacker
|
| SSH_MSG_IGNORE messages carry [random] data.
|
| Effectively what the
| Suppose we use AES128-CBC with a fixed IV. It's clear that the only
| vulnerability of concern occurs when a key is reused. OK, where do
|
| No, remember that if the IV is in the clear, an attacker can
| make some controlled bit changes in the first plaintext block.
| (There has been no
1 - 100 of 135 matches
Mail list logo