On Mon, Nov 28, 2011 at 06:06:45PM +1300, Peter Gutmann wrote:
> Solar Designer writes:
>
> >Here are some examples of 512-bit RSA keys factored:
>
> Right, but that doesn't say anything about what happened here. [...]
Sure. I was not arguing with you, but rather I thought I'd provide some
mor
Solar Designer writes:
>Here are some examples of 512-bit RSA keys factored:
Right, but that doesn't say anything about what happened here. In every other
case we know of in which malware has been signed by CA-issued certs, the keys
were either stolen or, more rarely, bought using stolen cred
On 11/27/2011 09:57 PM, Peter Gutmann wrote:
That's an example of *claims* of 512-bit keys being factored, with
the thinking being "everyone knows 512-bit keys are weak, the certs
used 512-bit keys, therefore they must have got them by factoring".
Yeah. It seems like an important point.
http:/
On Mon, Nov 28, 2011 at 04:57:03PM +1300, Peter Gutmann wrote:
> Marsh Ray writes:
>
> >* Here's an example of RSA-512 certificates being factored and used to sign
> >malware:
> >http://blog.fox-it.com/2011/11/21/rsa-512-certificates-abused-in-the-wild/
>
> That's an example of *claims* of 512-b
Steven Bellovin writes:
>Does anyone know of any (verifiable) examples of non-government enemies
>exploiting flaws in cryptography?
Could you be a bit more precise about what "flaws in cryptography" covers? If
you mean exploiting bad or incorrect implementations of crypto then there's so
much
Marsh Ray writes:
>* Here's an example of RSA-512 certificates being factored and used to sign
>malware:
>http://blog.fox-it.com/2011/11/21/rsa-512-certificates-abused-in-the-wild/
That's an example of *claims* of 512-bit keys being factored, with the
thinking being "everyone knows 512-bit keys
Landon Hurley writes:
>So would the recent $200 hardware break of hdmi encryption.
HDCP was a social, political, and economic fail, not necessarily a crypto
fail. I certainly don't want to denigrate the work that the guys the the Ruhr
Uni did, but you've been able to buy commercial HDCP stripper
Particularly interesting is "Some Principles of Cryptographic Security -
Summer 1974 - Vol. XIX, No. 3", sort of an updated/revisited version of the
oft-quoted Kerckhoffs's principles.
Peter.
___
cryptography mailing list
cryptography@randombit.net
http
On Mon, Nov 28, 2011 at 4:10 AM, Steven Bellovin wrote:
> Does anyone know of any (verifiable) examples of non-government enemies
> exploiting flaws in cryptography? I'm looking for real-world attacks on
> short key lengths, bad ciphers, faulty protocols, etc., by parties other
> than governments
On Sun, Nov 27, 2011 at 10:14:48PM +0100, Florian Weimer wrote:
> ... attacks on malware encryption schemes by the AV industry.
A curious example of this is poor crypto in the original Back Orifice,
where, if I recall correctly, some IDS products would try to crack the
encryption key in real time
On Sun, Nov 27, 2011 at 10:54 PM, Tom Ritter wrote:
> So my biggest question is what defines a "publically visible
> certificate"? Of course every certificate gmail uses would be
> public... but what about the cert that corresponds to the new product
> google is launching that's in beta for a few
So my biggest question is what defines a "publically visible
certificate"? Of course every certificate gmail uses would be
public... but what about the cert that corresponds to the new product
google is launching that's in beta for a few users? That cert should
be published... but then that lets
On 27 November 2011 20:10, Steven Bellovin wrote:
> Does anyone know of any (verifiable) examples of non-government enemies
> exploiting flaws in cryptography? I'm looking for real-world attacks on
> short key lengths, bad ciphers, faulty protocols, etc., by parties other
> than governments and m
* Steven Bellovin:
> Does anyone know of any (verifiable) examples of non-government enemies
> exploiting flaws in cryptography?
DeCSS and subsequent DRM failures (including modchips), L0phtcrack,
the IMSI catcher*, some Elcomsoft products (particularly those better
than brute force), attacks on
Personally, I think it's hilarious the "Extraterrestial Intelligence"
parts, about "how would other races try to contact us" haven't changed AT
ALL since then and this actually had some orgininal ideas. Like the
"controlled neutron bursts" for communication, that's actually extra
usefull because th
Given the recent discussion on Sovereign Keys I thought people might
be interested in a related, but less ambitious, idea Adam Langley and
I have been kicking around:
http://www.links.org/files/CertificateAuthorityTransparencyandAuditability.pdf.
___
cryp
Steven Bellovin wrote:
Does anyone know of any (verifiable) examples of non-government
enemies exploiting flaws in cryptography? I'm looking for
real-world attacks on short key lengths, bad ciphers, faulty
protocols, etc., by parties other than governments and militaries.
I'm not interested in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
GSM and the Kaos club expert would be a good example. So would the recent $200
hardware break of hdmi encryption.
Steven Bellovin wrote:
>Does anyone know of any (verifiable) examples of non-government enemies
>exploiting flaws in cryptography?
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography? I'm looking for real-world attacks on
short key lengths, bad ciphers, faulty protocols, etc., by parties other
than governments and militaries. I'm not interested in academic attacks
-- I wan
Came across this on Reddit:
Declassified NSA Tech Journals
http://www.nsa.gov/public_info/declass/tech_journals.shtml
It all looks so interesting it's hard to know where to start.
- Marsh
* Emergency Destruction of Documents - April 1956 - Vol. I, No. 1
* Development of Automatic Telegraph Sw
On Sun, Nov 27, 2011 at 8:38 AM, Adam Back wrote:
> Yes, its the way I would've done it. Actually coincidentally I already did
> propose doing it exactly that way in around 1999:
>
> http://www.cypherspace.org/p2p/auditable-namespace.html
>
> (That was about censor resistant DNS->ip mapping with
Yes, its the way I would've done it. Actually coincidentally I already did
propose doing it exactly that way in around 1999:
http://www.cypherspace.org/p2p/auditable-namespace.html
(That was about censor resistant DNS->ip mapping with public auditability.
And that might still be something to t
22 matches
Mail list logo
