On 04/03/2012 02:29 PM, Marsh Ray wrote:
Therefore, from any packet capture of a PPTP session which includes the
initial handshake, a brute force of the response yields the complete NT
hash with complexity 2^57.
The NT hash is a password-equivalent, and it represents the only secret
material
On 04/03/2012 02:29 PM, Marsh Ray wrote:
Therefore, from any packet capture of a PPTP session which includes the
initial handshake, a brute force of the response yields the complete NT
hash with complexity 2^57.
The NT hash is a password-equivalent, and it represents the only secret
material
On 06/22/2012 04:42 PM, Kevin W. Wall wrote:
You wrote "going to DIFFERENT consumers". I am interpreting that as
different processes, but I don't see how a CPU instruction like RdRand
or anything else is going to be process or thread or aware. If you would have omitted the "different",
then it
On 06/21/2012 09:05 PM, ianG wrote:
On 22/06/12 06:53 AM, Michael Nelson wrote:
"At the output of the DRBG, through RdRand, you have no visibility
of these processes. We seek to limit the side channels through
which an attacker could determine the internal state of the DRNG."
Good answer!
On 06/19/2012 02:11 PM, coderman wrote:
the sanity checks, being on die, are limited. you can't run DIEHARD
against this in a useful manner because the DRBG obscures anything
useful.
I don't think there's anything useful diehard (specifically) is going to
tell you.
The raw entropy source ou
On 06/19/2012 01:59 PM, coderman wrote:
thanks for the clarification; is this documented somewhere? i am
curious if the die space consumed for two implementations of AES in
negligable on these very large cores, or if there is another reason to
intentionally keep them separate.
It sounds to me l
On 06/19/2012 01:36 AM, Jon Callas wrote:
On Jun 18, 2012, at 4:12 PM, Marsh Ray wrote:
150 clocks (Intel's figure) implies 18.75 clocks per byte.
That's not bad at all.
Right, 500 MB/s of random numbers out to be enough for anybody.
My main point in running the perf numb
On 06/18/2012 10:21 PM, ianG wrote:
The first part is that AES and block algorithms can be quite tightly
defined with a tight specification, and we can distribute test
parameters. Anyone who's ever coded these things up knows that the test
parameters do a near-perfect job in locking implementati
On 06/18/2012 12:20 PM, Jon Callas wrote:
A company makes a cryptographic widget that is inherently hard to
test or validate. They hire a respected outside firm to do a review.
What's wrong with that? I recommend that everyone do that.
Un-reviewed crypto is a bane.
Let's accept that the review
On 06/12/2012 10:58 AM, Thor Lancelot Simon wrote:
One wonders what Microsoft knows about who requested all those licenses.
Presumably there was some effort put into plausible deniability.
Considering that the Flame attackers are said to operate 80
command-and-control servers at locations aro
On 06/12/2012 04:09 AM, Marc Stevens wrote:
They were limited to a millisecond time-window to request the original
cert for their attack to succeed.
That means they probably needed a lot more attempts than the 9 attempts
(over 4 weekends) we needed.
From Sotirov's http://www.trailofbits.com/re
On 06/10/2012 03:03 PM, Florian Weimer wrote:
Does this mean they've seen the original certificate in addition to
the evil twin?
Until then, there is another explanation besides an advance in
cryptanalysis. Just saying. 8-)
I guess I look at it like this:
Start with the simplest explanation
Microsoft just released more info:
http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx
It turns out that this:
echo '30 1a 06 08 2b 06 01 04 01 82 37 12 01 01 ff 04 0b 16 09 54 4c
53 7e 42 41 53 49 43'|xxd -r -
On 06/05/2012 07:21 AM, Douglas Pichardo wrote:
The last link below [http://rmhrisk.wpengine.com/?p=52] points out that
the sub-CA's were issued with constraints granting them:
- License Server Verification (1.3.6.1.4.1.311.10.6.2)
- Key Pack Licenses (1.3.6.1.4.1.311.10.6.1)
- Code Signing (1.3.
These researchers have detailed the cert chain here:
http://blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/
If you like X509, you'll find this interesting.
I've attached copies for reference.
Microsoft is saying some strange things like:
http://blogs.technet.com/b/msr
On 06/04/2012 02:41 AM, Marsh Ray wrote:
I've attached the revoked sub-CAs and their roots.
In case its not clear from the filenames (e.g. the email system drops
them) there were three certs revoked. These are the ones with
"Licensing" in the CN.
For convenience I also i
I'm sure many readers of the list will have heard by now, some Microsoft
sub-CAs were used for signing malware.
For the record here's an excerpt from the MS release and to save
interested people time I've attached the revoked sub-CAs and their roots.
There is some tantalizing bits about MD5
On 05/31/2012 04:08 PM, Nico Williams wrote:
On Thu, May 31, 2012 at 2:03 PM, Marsh Ray wrote:
On 05/31/2012 11:28 AM, Nico Williams wrote:
Yes, but note that one could address that with some assumptions, and
with some techniques that one would reject when making a better hash
-- the point is
On 05/31/2012 11:28 AM, Nico Williams wrote:
Yes, but note that one could address that with some assumptions, and
with some techniques that one would reject when making a better hash
-- the point is to be slow,
More precisely, the point is to take a tunable amount of time with
strong assuranc
On 05/30/2012 03:25 PM, Maarten Billemont wrote:
I'm currently considering asking the user for their full name and
using that as a salt in the scrypt operation. Full names are often
lengthy and there's a good deal of them. Do you recon this might
introduce enough entropy
In the case of salts
On 05/30/2012 02:59 PM, Nico Williams wrote:
This is why salting is important. They should not be able to build
a single rainbow table that works for all cases.
In order to be useful, the salt has to be large enough to not have large
numbers of collisions across large user populations. Ideal
On 05/30/2012 04:06 AM, Maarten Billemont wrote:
First of all, thanks for your time and very valuable feedback.
On 30 May 2012, at 07:20, Marsh Ray wrote:
On 05/29/2012 06:01 PM, Maarten Billemont wrote:
Initially, my recommendation for a master password was to use a
sufficiently-random 12
On 05/29/2012 06:01 PM, Maarten Billemont wrote:
Dear readers,
I've written an iOS / Mac application whose goal it is to produce
passwords for any purpose. I was really hoping for the opportunity
to receive some critical feedback or review of the algorithm
used[1].
[1] http://masterpassword
On 05/25/2012 09:50 AM, Steven Bellovin wrote:
Here's Google Translate link to the article (I can't read German).
My money is on a protocol or implementation flaw, or possibly just
hacks to the end system.
http://translate.google.com/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eot
On 05/04/2012 07:40 PM, David I. Emery wrote:
Someone, for some unknown reason, turned on a debug switch
(DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that
causes the authorizationhost process's HomeDirMounter DIHLFVMount to log
in *PLAIN TEXT* in a system wide logfile
-encrypted-handshake/
A new version of I-D, draft-ray-tls-encrypted-handshake-00.txt has been
successfully submitted by Marsh Ray and posted to the IETF repository.
Filename:draft-ray-tls-encrypted-handshake
Revision:00
Title: Transport Layer Security (TLS) Encrypted Handshake
On 04/25/2012 10:11 PM, Zooko Wilcox-O'Hearn wrote:
It goes like this: suppose you
want to ensure the integrity of a chunk of data. There are at least
two ways to do this (excluding public key digital signatures):
1. the secret-oriented way: you make a MAC tag of the chunk (or
equivalently you u
On 04/23/2012 08:47 PM, Peter Maxwell wrote:
On 23 April 2012 22:41, Marsh Ray mailto:ma...@extendedsubset.com>> wrote:
Do you all agree with my assertion that "No one with a clue about
PKI security would believe that a revoked cert provides equivalent
security from
sh
https://bugzilla.mozilla.org/show_bug.cgi?id=748122
Marsh Ray 2012-04-23 14:18:14 PDT
Created attachment 617643 [details]
pfd.phonefactor.net.pem
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0)
Gecko/20100101 Firefox/11.0
Build ID: 20120410121533
Steps to reproduce:
The "C
On 04/23/2012 01:53 PM, David Adamson wrote:
Ahhh, I think it was a mistake to withdraw MD6. But Ron and his team
had dignity and set up higher mathematical standards than NIST (the
hash function to be provably secure against the differential
cryptanalysis).
If you know of actual weaknesses in
On 04/22/2012 05:07 PM, Jeffrey Walton wrote:
Aren't programs generally written to be fast and take advantage of
things like locality of reference? I'd like to see a design that
complete violates the design principal. Iterations in a KDF would
then be icing on the cake.
STRONGER KEY DERIVATION
On 04/22/2012 02:55 PM, Jeffrey Walton wrote:
This might sound crazy, but I would rather have a NIST approved hash
that runs orders of magnitude slower to resist offline, brute forcing
attacks.
Well, that's what we have KDFs with a tunable work factor like PBKDF2 for.
They're generally constr
On 04/22/2012 12:37 PM, Steven Bellovin wrote:
The question is not whether there should be a hash function significantly
faster than SHA-3, it's whether or not anyone knows how to do it. NIST
wanted to stick with that goal, but there weren't enough (possibly
weren't any; I'm not sure) submission
On 04/14/2012 06:39 AM, David Adamson wrote:
NSA designed SHA-2 to stay in libraries for a long time. Length
extension is not an issue for SHA-2 anymore with SHA-512/256. That is
a double-pipe hash function perfectly secure against length-extension
attack. On 64-bit platforms SHA512 and SHA512/2
On 04/13/2012 02:38 PM, James A. Donald wrote:
To construct a case where length extension matters, one must
contrive a rather dreadful protocol.
http://vnhacker.blogspot.com/2009/09/flickrs-api-signature-forgery.html
Date Published: Sep. 28, 2009
Advisory ID: MOCB-01
Advisory URL:
http://n
On 04/13/2012 01:52 AM, Zooko Wilcox-O'Hearn wrote:
HASH_d(x) = HASH(HASH(x))
I pretty much always use the HASH_d technique, and that way I don't
have to spend time figuring out what length-extension attacks can or
can't do to my designs.
But now SHA-2 takes a 50% performance hit on messages
On 04/11/2012 03:01 PM, Florian Weimer wrote:
* King Of Fun:
All clients have the public key of the server, and the server has
all of the public keys of the clients. The client can only use its
private key for signing. In particular, the client cannot decrypt
data that has been encrypted with t
http://mosh.mit.edu/
http://mosh.mit.edu/mosh-paper-draft.pdf
Abstract
This paper describes Mosh, a mobile shell application
that supports intermittent connectivity, allows roaming,
and provides speculative local echo of user keystrokes.
Mosh is built on the State Synchronization Protocol,
a new
On 04/09/2012 07:00 AM, Jeffrey Walton wrote:
http://h-online.com/-1498071
none of the five finalists
are affected by known attacks on MD5, SHA-1 and SHA-2 and the
Merkle-Damgård construction on which all three are based.
Well, gee, isn't that enough?
True, one thing we've learned from the SH
On 04/05/2012 04:12 AM, Ralf-Philipp Weinmann wrote:
Do you have statistics on that? I remember newer Microsoft and Apple
operating systems supporting L2Sec quite well. And then there are the
Cisco abominanations of IPSec that are quite common. But maybe not as
common as SSL VPNs. And let's not
Wow the crickets are deafening tonight. :-)
On 04/03/2012 02:29 PM, Marsh Ray wrote:
yields the complete NT hash with complexity 2^57.
The NT hash is a password-equivalent, and it represents the only secret
material that goes into the MPPE encryption key derivation.
So I point out that one
There is no Diffie-Hellman in the PPTP handshake. AFICT, the MS-CHAPv2
hashes are sent in the clear.
Per
http://www.schneier.com/paper-pptpv2.html
http://www.schneier.com/paper-pptpv2.pdf pg 5
4
MS-CHAPv2: Deriving the 24-byte Response
Both MS-CHAPv1 and MS-CHAPv2 use the same procedure to d
Has anyone seen this CA before?
Sounds like an interesting business model, even if the site design looks
a bit anachronistic.
http://print-a-cert.com/
- Marsh
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mail
Original Message
Subject: SHA-3 feedback requested by June 1, 2012
Date: Fri, 30 Mar 2012 15:06:02 -0400
From: Chang, Shu-jen H.
Reply-To: hash-fo...@nist.gov
To: Multiple recipients of list
Dear Forum members,
NIST hosted the third and final SHA-3 Candidate
Conference
On 03/28/2012 10:39 PM, Jeffrey Walton wrote:
Hi Guys,
From "Reworked Version of Stuxnet Relative Duqu Found in Iran,"
http://www.securitynewsdaily.com/1642-stuxnet-duqu-iran.html:
Duqu's builders also changed its encryption algorithm and
rigged the malware loader to pose as a Micros
(Nod to the rest of what you said)
On 03/25/2012 11:45 AM, Benjamin Kreuter wrote:
The US government still wants a
system where encrypted communications can be arbitrarily decrypted,
they just dress up the argument and avoid using dirty words like "key
escrow."
Aside from the deep moral and c
On 03/24/2012 01:28 AM, J.A. Terranson wrote:
Ah... Probably not. Think Jim Bell et al. I suspect it is far more
likely that the vast majority of subscribers here are listed in the
Potentially Dangerous category, if not the flat out Budding Terrorist
label.
Oh good grief. Do you even kn
On 03/22/2012 09:57 AM, Peter Maxwell wrote:
From
http://blogs.computerworld.com/19917/shocker_nsa_chief_denies_total_information_awareness_spying_on_americans?source=CTWNLE_nlt_security_2012-03-22
"Remember," former intelligence official Binney stated, "a lot of
foreign government stuff we've
On 03/21/2012 08:54 PM, ianG wrote:
Or, is the advantage that CBC and other modes have - obfuscation of the
ciphertext with variation stolen from the plaintext - of such low value
in the scheme of things that these things make no difference?
Just thinking out loud here.
CBC certainly seems li
On 03/19/2012 07:15 PM, ianG wrote:
Right, so thinking about it some more, traffic analysis is the goal. But
AES-cracking is the cover-plan.
"We're almost there, the new computer being built this year will make a
huge difference, a real breakthrough!"
Perfect.
(They have a mandate for the sec
On 03/19/2012 06:22 PM, Arshad Noor wrote:
FYI. P.S. Since I did not elaborate what the RC3 architecture is, you
can read it at any one of the following sites:
* IBM's developerWorks.com. http://ibm.co/rc3dw
Regulatory compliant cloud computing security ... in a box!
Brilliant!
I liked the pa
On 03/09/2012 05:25 AM, Florian Weingarten wrote:
Hello list,
first, excuse me if my questions are obvious (or irrelevant).
I am interested in these questions too.
This is what I pick up from following the SHA-3 list. Someone else
please jump in if I'm off the mark.
I am interested in the
On 03/01/2012 09:31 PM, Jeffrey Walton wrote:
Interesting. I seem to recall that cascading ciphers is frowned upon
on sci.crypt. I wonder if this is mis-information
Not mis-information. You could easily end up enabling a
meet-in-the-middle attack just like double DES.
https://en.wikipedi
On 02/28/2012 10:42 AM, Marsh Ray wrote:
By forcing the phishing attack to involve the legitimate site, it does
one other thing: it puts the site in a position to require strong mutual
authentication.
Let me clarify one little detail: web browsers will still send the HTTP
request (including
On 02/28/2012 07:34 AM, The Fungi wrote:
"Your login was successful, but due to recent security concerns we
also require a one-time verification of your personal information.
Please now enter the following...
Yes, but all of this falls in the category of "user authenticates the
website".
So
On 02/26/2012 09:08 PM, Peter Gutmann wrote:
Marsh Ray writes:
Except that as it is stipulated that the captors are "not stupid", we must
assume they are perfectly rational actors who will have worked out this
strategy too.
It's not an exercise in game theory, it's
On 02/26/2012 09:34 AM, Andy Steingruebl wrote:
On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray mailto:ma...@extendedsubset.com>> wrote:
Still it might be worth pointing that if Wells Fargo really wanted
to forbid a Trustwave network-level MitM, SSL/TLS provides the
capability to enforc
On 02/26/2012 11:35 AM, Jon Callas wrote:
On Feb 25, 2012, at 3:18 PM, Kevin W. Wall wrote:
On Sat, Feb 25, 2012 at 2:50 AM, Jon Callas
wrote:
I asked them about the case where someone has TrueCrypt but
doesn't have a hidden volume, what would happen to someone
doesn't have one? Their respons
On 02/25/2012 05:55 PM, John Case wrote:
When all is said and done, and Jane Doe cube peasant signs away her
life, and the browsers all look the other way and "every CA is doing it"
... after all of that, does Wells Fargo actually consent to your
bullshit Fortune 30,000 firm monitoring their onl
On 02/24/2012 12:14 PM, Steven Bellovin wrote:
http://volokh.com/2012/02/23/eleventh-circuit-finds-fifth-amendment-right-against-self-incrimination-not-to-decrypt-encyrpted-computer/
It's worth noting that some kind folks from the EFF gave a fascinating
talk at the recent Shmoocon which dealt
On 02/24/2012 01:49 PM, Thor Lancelot Simon wrote:
Is the major purpose of this mailing list really the discussion of
political and social theory? I thought I had subscribed to
cryptography@randombit.net, not "I already spent four years doing
political science, thanks."
It is apparently diffe
On 02/23/2012 02:27 PM, Ondrej Mikle wrote:
On 02/22/2012 10:55 PM, Marsh Ray wrote:
I'm putting myself in the position of an engineer who's designing the
logic and writing some low-level firmware for the next consumer grade
$50 blue box home router/wifi/firewall appliance:
===
On 02/22/2012 08:44 PM, Peter Gutmann wrote:
Marsh Ray writes:
Obviously this story is made up and probably not even fully
consistent. But having worked a little bit around hardware
engineers it seems to me like a very plausible scenario, if not
typical.
It's actually pretty spot-on
On 02/22/2012 05:49 PM, Jeffrey Walton wrote:
Remember, OpenSSL gave tacit approval: "If it helps with debugging,
I'm in favor of removing them,"
http://www.mail-archive.com/openssl-dev@openssl.org/msg21156.html.
The full quote from Ulf Möller is:
Kurt Roeckx schrieb:
What I currently see as
On 02/22/2012 09:32 AM, Thierry Moreau wrote:
While commenting about
http://www.cs.bris.ac.uk/Research/CryptographySecurity/knowledge.html
, Marsh Ray wrote:
It talks about entropy exclusively in terms of 'unpredictability',
which I think misses the essential point necessary fo
On 02/21/2012 08:31 PM, Kevin W. Wall wrote:
Apologies for this being a bit OT as far as the charter of this list
goes, and perhaps a bit self-serving as well. I hope you will bear
with me.
Meh. I think I've seen worse. :-)
To a degree, I think it is more ignorance than it is outright
incompe
On 02/18/2012 03:43 PM, Jeffrey I. Schiller wrote:
My concern about virtual machines is that the hypervisor layer may
reduce the entropy in these inter-arrival times by quantifying them
into discrete time intervals.
Yes, hypervisors even introduce quantization error into the
high-resolution t
On 02/17/2012 02:51 PM, Jon Callas wrote:
On Feb 17, 2012, at 12:41 PM, Nico Williams wrote:
I'd like for /dev/urandom to block, but only early in boot. Once
enough entropy has been gathered for it to start it should never
block. One way to achieve this is to block boot progress early
enough
On 02/17/2012 01:32 PM, Thierry Moreau wrote:
Isn't /dev/urandom BY DEFINITION of limited true entropy?
It depends on the model you use.
In the model that makes sense to me, one in which the attacker has
finite computational resources (i.e., insufficient to brute-force the
search space of y
On 02/16/2012 08:42 PM, Jeffrey I. Schiller wrote:
I've read the code, I know how it works... That's my point. By adding
additional entropy (in this case the time) between the generation of P
and Q you setup a situation where it is more likely that two hosts
will share a P but not a Q.
It is e
On 02/16/2012 11:05 AM, Jeffrey I. Schiller wrote:
What I found most interesting in Nadia's blog entry is this snippet of
(pseudo) code from OpenSSL:
1 prng.seed(seed)
2 p = prng.generate_random_prime()
3 prng.add_randomness(bits)
4 q = prng.generate_random_prime()
5
On 02/14/2012 09:02 PM, Jon Callas wrote:
If you implement something like the
Certificate Transparency, you have an authenticated database of
authoritative data to replicate the oracle with.
How important is it that the data be authenticated/authoritative in this
case?
Waving my hand and m
On 02/14/2012 02:56 PM, Ralph Holz wrote:
BTW, what we do not address is an attacker sending us many forged chains
and/or traces. We don't want clients have to register with our server
and obtain an identity. That's a sore point.
Aren't the certs of interest those that chain to a well-known ro
On 02/12/2012 10:24 AM, John Levine wrote:
They also claim in their defense that other CAs are doing this.
Evading computer security systems and tampering with communications is
a violation of federal law in the US.
As the article made quite clear, this particular cert was used to
monitor traf
On 02/07/2012 05:41 PM, Andy Steingruebl wrote:
I don't remember Adam saying in his blog post or in any other posts,
etc. that this is the only change they will make to Chrome.
Surely.
At the
same time I think they did get fairly tired or hard-coding a CRL list
into the Chrome binary itself
On 02/06/2012 09:00 PM, Jonathan Katz wrote:
One question, though. Langley writes: "If the attacker is close to
the server then online revocation checks can be effective, but an
attacker close to the server can get certificates issued from many
CAs and deploy different certificates as needed." A
On 01/31/2012 05:21 AM, ianG wrote:
major software product that still calls self-signed certificates
"snake-oil" certificates. Which is upside down, the use of the term
itself can be snake-oil recursively.
That would make it 'Ouroboris oil'.
Yes, easy. QKD requires hardware. A laser+receiver
On 01/28/2012 11:22 AM, Nico Williams wrote:
Let's turn it around: what QKD products do
you think are not snake oil today? Please be specific (list products
currently on sale) and back up the assertion with a rationale,
remembering that this is in comparison to classical cryptography
technology.
On 01/15/2012 07:18 PM, Jonathan Thornburg wrote:
On Sat, 14 Jan 2012, Alfonso De Gregorio wrote:
Back in December 2010, we discussed the OpenBSD IPSec backdoor allegations.
Two days ago, Cryptome.org published the Gregory Perry's follow-up to
the this story.
FBI OpenBSD Backdoors and RSA Ciphe
Original Message
Subject: [TLS] Fwd: New Non-WG Mailing List: therightkey
Date: Fri, 13 Jan 2012 18:26:18 +
From: Stephen Farrell
To: s...@ietf.org , pkix , t...@ietf.org
, dane
FYI please sign up if interested but wait a few days
to give folks a chance to sign up be
On 01/05/2012 05:59 PM, Thor Lancelot Simon wrote:
FWIW, using HMAC like this is the "extract" step of the two-step
extract-expand HMAC based construction that is HKDF
From http://tools.ietf.org/html/draft-krawczyk-hkdf-01
2.2. Step 1: Extract
PRK = HKDF-Extract(salt, IKM)
Options:
On 01/05/2012 03:46 PM, Thor Lancelot Simon wrote:
I am asking whether the
use of HMAC with two different, well known keys, one for each purpose,
is better or worse than using the "folded" output of a single SHA
invocation for one purpose and the unfolded output of that same
invocation for the ot
On 12/21/2011 04:24 PM, Michael Nelson wrote:
Somewhat related: The IEEE is asking for proposals to develop and
operate a CA as a part of their Taggant System. This involves
signing to validate the usage of packers (compressing executables).
Packers can make it hard for anti-virus programs to s
On 12/08/2011 01:09 PM, jd.cypherpunks wrote:
David Ulevitch is rolling out OpenDNS http://david.ulevitch.com/
What do you think?
I assume you're talking about their new DNSCrypt application.
They seem to be saying it's an implementation of DJB's DNSCurve protocol.
https://twitter.com/#!/david
On 12/08/2011 09:16 AM, Darren J Moffat wrote:
On 12/07/11 14:42, William Whyte wrote:
Well, I think the theoretically correct answer is that you *should*...
these days all the installers can be available online, after all.
Except when the installer CD you need is the one for the network drive
On 12/07/2011 08:12 PM, lodewijk andré de la porte wrote:
I'm afraid "far more effective" just doesn't cut it. Android has
"install .APK from third party sources" which you'll engage whenever you
install an APK without using the market, trusted or not.
That's why I didn't use Android as an exam
On 12/07/2011 07:01 PM, lodewijk andré de la porte wrote:
I figured it'd be effective to create a "security awareness group"
figuring the most prominent (and only effective) way to show people
security is a priority is by placing a simple marking, something like
"this site isn't safe!"
I thou
[Really this is to the list, not so much Jon specifically]
On 12/07/2011 02:10 PM, Jon Callas wrote:
Let's figure out what we're trying to accomplish; after that, we
can try to figure out how to do it.
I think that's the central problem we're dealing with. There is scads
of mechanism and
On 12/07/2011 09:11 AM, d...@geer.org wrote:
Another wrinkle, at least as a logic problem, would be
whether you can revoke the signing cert for a CRL and
what, exactly, would that mean -- particularly if the
last known good date is well astern and hence the
revocation would optimally be retroact
Anyone have any more info on this?
Even just a CVE or 'fixed in' version would be helpful.
http://www.isoc.org/isoc/conferences/ndss/12/program.shtml#1a
Plaintext-Recovery Attacks Against Datagram TLS
Kenneth Paterson and Nadhem Alfardan We describe an efficient and
full plaintext recovery at
On 12/02/2011 01:21 AM, Marsh Ray wrote:
Out of a set of 4096 (salt values) random functions each mapping
{ 1...256 } -> { 0 ... 255 }
samples H[0] values
how many would we expect to have all samples map to the same value,
i.e., have a codomain size of 1 ?
s/codomain/image/
- Ma
On 12/02/2011 12:25 AM, Solar Designer wrote:
On Thu, Dec 01, 2011 at 11:16:14PM -0600, Marsh Ray wrote:
1. The largest cluster will represent the case where H[0] fails the
comparison in strcmp().
2. The second cluster will be on the order of a few machine cycles
longer, representing times
On 12/01/2011 11:11 PM, Sampo Syreeni wrote:
On 2011-12-01, Randall Webmail wrote:
I am an almost-complete greenie WRT crypto, which is why I'm here
to learn.
What is the proper thing to do when one of those things pops up?
(It is NOT a rare event).
They mostly mean you no harm.
You don't
On 12/01/2011 10:15 PM, Solar Designer wrote:
On Thu, Dec 01, 2011 at 09:15:05PM -0600, Marsh Ray wrote:
When you can evaluate MD5 at 5.6 GH/s, accessing even a straight lookup
table in main memory is probably a slowdown.
Yes, but those very high speeds are throughput for large numbers of
On 12/01/2011 06:15 PM, Jerrie Union wrote:
How should the attacker mount the attack after hash[0] has been recovered?
He tests passwords that yield the identified H[0].
I guess for a given digest D if the attacker guess the character at position 1
(D[1])
by supplying the secret S there’
On 12/01/2011 04:37 PM, Jerrie Union wrote:
public boolean check(digest, secret) {
hash = md5(secret);
if (digest.length != hash.length) {
return false;
}
for (i = 0; i< digest.length; i++) {
if (digest[i] != hash[i]) {
return fals
On 12/01/2011 11:09 AM, Ben Laurie wrote:
On Thu, Dec 1, 2011 at 4:56 PM, Marsh Ray
wrote:
http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html
They appear to
On 11/30/2011 06:44 PM, Adam Back wrote:
Are there really any CAs which issue sub-CA for "deep packet
inspection" aka doing MitM and issue certs on the fly for everything
going through them: gmail, hotmail, online banking etc.
http://www.prnewswire.com/news-releases/geotrust-launches-georoot-
On 11/30/2011 12:01 PM, Ben Laurie wrote:
On Wed, Nov 30, 2011 at 5:16 PM, Marsh Ray wrote:
Perhaps you define this category of "publicly visible certs" as "certs
which display without warnings on default-configured browsers when
presented by the correct site".
...
On
On 11/30/2011 05:24 AM, Ben Laurie wrote:
On Wed, Nov 30, 2011 at 1:18 AM, Marsh Ray
wrote:
Perhaps the relevant property is "certs issued by a browser-trusted
CA or subordinate" regardless of their visibility.
If they are not visible, why would we care whether they are in the
1 - 100 of 237 matches
Mail list logo