On 2013-10-04 08:54, Eric Murray wrote:
NSA can act through people outside NIST too.
Committees tend to wind up controlled by evil conspiracies. That is
another advantage of having standards set by an unelected president for
life instead of a committee.
A committee multiplies the points of
On 2013-10-04 11:26, Jeffrey Goldberg wrote:
But not using AES is a protest that hurts only ourselves.
I have always been inclined to believe that that twofish is better than AES.
Refusing to use AES, or making it the non default choice, is rejecting
NIST as a standards body.
We need to rej
On 2013-10-04 11:41, Jeffrey Walton wrote:
We could not get rid of Trustwave in the public sector (so much for
economics).
What is wrong with trustwave? They are smart people, unlike the world
bank economists who do not know the difference between negative feedback
and positive feedback, or
On Thu, Oct 3, 2013 at 9:26 PM, Jeffrey Goldberg wrote:
>...
>
> I would put it more strongly than that. I think that NIST needs to be
> punished. Even if Dual_EC_DRBG were their only lapse, any entity that has
> allowed themselves to be used that way should be forced to exit the business
> of
Jon, first of all thank you for your extremely thoughtful note.
I suspect that we will find that we don’t actually disagree about much, and
also my previous rant was driven by the general anger and frustration that all
of us are experiencing. That is, I amy have been misdirecting my anger at the
"James A. Donald" writes:
>By moving away from anything NIST has touched he deprives the NSA of leverage
>to insert backdoors,
Just as a bit of a counterpoint here, how far do you want to go down this
rathole? Someone recently pointed me to the latest CERT vuln. summary
(because of a few intere
On 2013-10-04 08:04, Paul Wouters wrote:
Reasoning that way, you're very quickly left with not but a tin foil
hat. Let's say we agree on twofish. then NIST/NSA certifies it for FIPS.
Are we than taking that as proof it is compromised and figure out
something else?
If people were adopting twofi
On 10/03/2013 03:22 PM, James A. Donald wrote:
> By moving away from anything NIST has touched he deprives the NSA of
> leverage to insert backdoors,
NSA can act through people outside NIST too.
By focusing on NIST we miss the larger problem. Any cryptographer or
security engineer can be comprom
On 2013-10-04 03:45, Adam Back wrote:
Is it just me or could we better replace NIST by DJB ? ;) He can do
that EC
crypto, and do constant time coding (nacl), and non-hackable mail servers
(qmail), and worst-time databases (cdb). Most people in the world
look like
rank amateurs or no-real-pro
On 2013-10-04 07:31, Jon Callas wrote:
absolutely, this is an emotional response. It's protest. Intellectually, I
believe that AES and SHA2 are not compromised. Emotionally, I am angry and I
want to distance myself from even the suggestion that I am standing with the
NSA. As Coderman and Iang
Not quite.
If people agree on Twofish and a generalized standard outside of NIST,
then if NIST picks it up and agrees as well there isn't much concern.
The problem is with older existing standards or if NIST provides
unexplained changes or magic values to the standard.
On 03/10/2013 4:04 PM, Paul
On Thu, 3 Oct 2013, Kelly John Rose wrote:
I short, I feel that all trust for NIST has to be broken. It doesn't
matter if AES or SHA-2 is broken or not broken. You cannot go into a
security environment with a tool that is known to be compromised
(NIST) and just hope and pray that the pieces you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I agree fully Jon,
I short, I feel that all trust for NIST has to be broken. It doesn't
matter if AES or SHA-2 is broken or not broken. You cannot go into a
security environment with a tool that is known to be compromised
(NIST) and just hope and pray
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Oct 3, 2013, at 7:13 AM, Jeffrey Goldberg wrote:
Jeff,
You might call it "security theatre," but I call it (among other things)
"protest." I have also called it "trust," "conscience," and other things
including "emotional." I'm willing to call
* Ben Laurie:
>> | 10.6 Compression, Encoding, And Encryption
>> |
>> | Using a data compression algorithm together with an encryption
>> | algorithm makes sense for two reasons:
>> |
>> | Cryptanalysis relies on exploiting redundancies in the plaintext;
>> | compressing a file brfore encrypti
On 3 October 2013 14:13, Florian Weimer wrote:
> > On 02/10/13 at 08:51am, Florian Weimer wrote:
> >> There is widespread belief that compressing before encrypting makes
> >> cryptanalysis harder, so compression is assumed to be beneficial.
>
> > Any academic references?
>
> Applied Cryptography
On 2013-10-03, at 1:28 PM, James A. Donald wrote:
> On 2013-10-04 00:13, Jeffrey Goldberg wrote:
>> So unless you and Silent Circle have information that the rest of us don’t
>> about AES and SHA-2, I’m actually pissed off at this action. It puts more
>> pressure on us to follow suit, even thou
On 2013-10-04 00:13, Jeffrey Goldberg wrote:
So unless you and Silent Circle have information that the rest of us don�t
about AES and SHA-2, I�m actually pissed off at this action. It puts more
pressure on us to follow suit, even though such a move would be pure security
theater.
You have to
On 2013-10-04 02:03, Jared Hunter wrote:
One of the biggest issues we're wrestling with, I think, is that the crypto
community already decided that AES and SHA-2 are just fine.
In large part because we trusted NIST. If we do not trust NIST ...
___
On Thu, Oct 03, 2013 at 04:53:09PM +0100, Michael Rogers wrote:
Presumably if you ensure that the private key is valid, the public key
derived from it must be a point on the curve. So it's a matter of
validating private rather than public keys.
I understand what you're saying about a timing sid
On Thu, Oct 3, 2013 at 9:57 AM, Michael Rogers wrote:
>
> Great points, thanks! I'd forgotten about triple Diffie-Hellman
> (already, tut tut). Has it received any peer review other than being
> adopted by Moxie?
It was analyzed in a paper by Kudla & Paterson. See Section 5.1, and the
note near
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/10/13 17:40, Trevor Perrin wrote:
> Having each party sign an ephemeral public key with a long-term
> signing key is not, by itself, a good key agreement protocol, due
> to:
>
> * The "identity misbinding" possibility of an an attacker signing
>
On Thu, Oct 3, 2013 at 8:19 AM, Michael Rogers wrote:
>
> Perhaps we can combine some of the advantages of fingerprints and SAS:
>
Sure, and I should point out that fingerprints, SAS, and PAKE could all be
done in parallel. For example, OTR offers all three (session IDs = SAS;
Socialist Milliona
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/10/13 16:45, Trevor Perrin wrote:
> Suppose you are a good guy with a static curve25519 key, and a bad
> guy is sending you 32-byte strings, claiming them to be ephemeral
> curve25519 public keys for use in an ephemeral-static
> Diffie-Hellman.
>
On Oct 2, 2013, at 6:23 PM, Jon Callas wrote:
[snipped quoted text]
> I'm not implying at all that AES or SHA-2 are broken. If P-384 is broken, I
> believe the root cause is more that it's old than it was backdoored.
>
> But it doesn't matter what I think. This is a trust issue.
First, thank
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/10/13 15:14, Adam Back wrote:
> Well I think there are two issues:
>
> 1. if the public key is derived from a password (like a bitcoin
> brainwallet), or as in EC based PAKE systems) then if the point
> derived from your password isnt on the c
On Thu, Oct 3, 2013 at 6:41 AM, Michael Rogers wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 29/09/13 20:24, Nico Williams wrote: > Just because curve25519
> accepts every 32-byte value as a public key
> > doesn't mean that every 32-byte value is a valid public key (one
> > resul
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 30/09/13 23:40, Trevor Perrin wrote:
> It'd be nice if Alice and Carol could use some additional,
> out-of-band channel to authenticate the ephemeral DH exchange.
To fill in some background: the use case for this feature is
introducing two people w
I would also state though, to avoid being too conspiratorial. That it
can also imply that AES is simply in peril and they want to move off of
it before it is fully broken.
On 02/10/2013 6:49 PM, James A. Donald wrote:
> On 2013-10-03 04:50, d.nix wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Has
On 2013-10-02, at 5:23 PM, Jon Callas wrote:
> A friend of mine offered this analogy -- what if it was leaked that the
> government replaced all of a vaccine with salt water because some nasty
> jihadis get vaccinated. This is serious and pretty horrifying. If you're a
> responsible doctor, an
Well I think there are two issues:
1. if the public key is derived from a password (like a bitcoin
brainwallet), or as in EC based PAKE systems) then if the point derived from
your password isnt on the curve, then you know that is not a candidate
password, hence you can for free narrow the passwo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 29/09/13 20:24, Nico Williams wrote: > Just because curve25519
accepts every 32-byte value as a public key
> doesn't mean that every 32-byte value is a valid public key (one
> resulting from applying the curve25519 operation). The Elligator
> pap
> On 02/10/13 at 08:51am, Florian Weimer wrote:
>> There is widespread belief that compressing before encrypting makes
>> cryptanalysis harder, so compression is assumed to be beneficial.
> Any academic references?
Applied Cryptography (2nd edition) contains this:
| 10.6 Compression, Encoding, A
On 2013-10-03 21:56, coderman wrote:
On Thu, Oct 3, 2013 at 4:28 AM, James A. Donald wrote:
...
He does not believe that AES and SHA-2 rest are necessarily broken - but
neither does he believe that they are not broken.
there is a significant difference between avoiding a cipher on principle,
On Thu, Oct 3, 2013 at 4:28 AM, James A. Donald wrote:
> ...
> He does not believe that AES and SHA-2 rest are necessarily broken - but
> neither does he believe that they are not broken.
there is a significant difference between avoiding a cipher on principle,
or association, or abundance of c
On 2013-10-03 19:16, coderman wrote:
On Wed, Oct 2, 2013 at 5:49 PM, James A. Donald wrote:
...
So, people who actually know what they are doing are acting as if they know,
or have good reason to suspect, that AES and SHA-2 are broken.
James this is not true.
i challenge you to find reputabl
On 2/10/13 20:38 PM, Jared Hunter wrote:
Aside from the curve change (and even there), this strikes me as a marketing message
rather than an important technical choice. The message is "we react to a deeper
class of threat than our users understand."
There is a wider concept here. The NSA ha
On Wed, Oct 2, 2013 at 5:49 PM, James A. Donald wrote:
> ...
> So, people who actually know what they are doing are acting as if they know,
> or have good reason to suspect, that AES and SHA-2 are broken.
James this is not true.
i challenge you to find reputable positions backing this assertion
On 3/10/13 01:23 AM, Jon Callas wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Oct 2, 2013, at 12:26 PM, coderman wrote:
On Wed, Oct 2, 2013 at 10:38 AM, Jared Hunter wrote:
Aside from the curve change (and even there), this strikes me as a marketing message
rather than an import
39 matches
Mail list logo
