Re: [cryptography] MS PPTP MPPE only as secure as *single* DES (UPDATE)

On 04/03/2012 02:29 PM, Marsh Ray wrote: Therefore, from any packet capture of a PPTP session which includes the initial handshake, a brute force of the response yields the complete NT hash with complexity 2^57. The NT hash is a password-equivalent, and it represents the only secret material

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES (UPDATE)

On 04/03/2012 02:29 PM, Marsh Ray wrote: Therefore, from any packet capture of a PPTP session which includes the initial handshake, a brute force of the response yields the complete NT hash with complexity 2^57. The NT hash is a password-equivalent, and it represents the only secret material

Re: [cryptography] Intel RNG

On 06/22/2012 04:42 PM, Kevin W. Wall wrote: You wrote "going to DIFFERENT consumers". I am interpreting that as different processes, but I don't see how a CPU instruction like RdRand or anything else is going to be process or thread or aware. If you would have omitted the "different", then it

Re: [cryptography] Intel RNG

On 06/21/2012 09:05 PM, ianG wrote: On 22/06/12 06:53 AM, Michael Nelson wrote: "At the output of the DRBG, through RdRand, you have no visibility of these processes. We seek to limit the side channels through which an attacker could determine the internal state of the DRNG." Good answer!

Re: [cryptography] Intel RNG

On 06/19/2012 02:11 PM, coderman wrote: the sanity checks, being on die, are limited. you can't run DIEHARD against this in a useful manner because the DRBG obscures anything useful. I don't think there's anything useful diehard (specifically) is going to tell you. The raw entropy source ou

Re: [cryptography] Intel RNG

On 06/19/2012 01:59 PM, coderman wrote: thanks for the clarification; is this documented somewhere? i am curious if the die space consumed for two implementations of AES in negligable on these very large cores, or if there is another reason to intentionally keep them separate. It sounds to me l

Re: [cryptography] Intel RNG

On 06/19/2012 01:36 AM, Jon Callas wrote: On Jun 18, 2012, at 4:12 PM, Marsh Ray wrote: 150 clocks (Intel's figure) implies 18.75 clocks per byte. That's not bad at all. Right, 500 MB/s of random numbers out to be enough for anybody. My main point in running the perf numb

Re: [cryptography] Intel RNG

On 06/18/2012 10:21 PM, ianG wrote: The first part is that AES and block algorithms can be quite tightly defined with a tight specification, and we can distribute test parameters. Anyone who's ever coded these things up knows that the test parameters do a near-perfect job in locking implementati

Re: [cryptography] Intel RNG

On 06/18/2012 12:20 PM, Jon Callas wrote: A company makes a cryptographic widget that is inherently hard to test or validate. They hire a respected outside firm to do a review. What's wrong with that? I recommend that everyone do that. Un-reviewed crypto is a bane. Let's accept that the review

Re: [cryptography] Microsoft Sub-CA used in malware signing

On 06/12/2012 10:58 AM, Thor Lancelot Simon wrote: One wonders what Microsoft knows about who requested all those licenses. Presumably there was some effort put into plausible deniability. Considering that the Flame attackers are said to operate 80 command-and-control servers at locations aro

Re: [cryptography] Microsoft Sub-CA used in malware signing

On 06/12/2012 04:09 AM, Marc Stevens wrote: They were limited to a millisecond time-window to request the original cert for their attack to succeed. That means they probably needed a lot more attempts than the 9 attempts (over 4 weekends) we needed. From Sotirov's http://www.trailofbits.com/re

Re: [cryptography] Microsoft Sub-CA used in malware signing

On 06/10/2012 03:03 PM, Florian Weimer wrote: Does this mean they've seen the original certificate in addition to the evil twin? Until then, there is another explanation besides an advance in cryptanalysis. Just saying. 8-) I guess I look at it like this: Start with the simplest explanation

Re: [cryptography] Microsoft Sub-CA used in malware signing

Microsoft just released more info: http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx It turns out that this: echo '30 1a 06 08 2b 06 01 04 01 82 37 12 01 01 ff 04 0b 16 09 54 4c 53 7e 42 41 53 49 43'|xxd -r -

Re: [cryptography] Microsoft Sub-CA used in malware signing

On 06/05/2012 07:21 AM, Douglas Pichardo wrote: The last link below [http://rmhrisk.wpengine.com/?p=52] points out that the sub-CA's were issued with constraints granting them: - License Server Verification (1.3.6.1.4.1.311.10.6.2) - Key Pack Licenses (1.3.6.1.4.1.311.10.6.1) - Code Signing (1.3.

Re: [cryptography] Microsoft Sub-CA used in malware signing

These researchers have detailed the cert chain here: http://blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/ If you like X509, you'll find this interesting. I've attached copies for reference. Microsoft is saying some strange things like: http://blogs.technet.com/b/msr

Re: [cryptography] Microsoft Sub-CA used in malware signing

On 06/04/2012 02:41 AM, Marsh Ray wrote: I've attached the revoked sub-CAs and their roots. In case its not clear from the filenames (e.g. the email system drops them) there were three certs revoked. These are the ones with "Licensing" in the CN. For convenience I also i

[cryptography] Microsoft Sub-CA used in malware signing

I'm sure many readers of the list will have heard by now, some Microsoft sub-CAs were used for signing malware. For the record here's an excerpt from the MS release and to save interested people time I've attached the revoked sub-CAs and their roots. There is some tantalizing bits about MD5

Re: [cryptography] Master Password

On 05/31/2012 04:08 PM, Nico Williams wrote: On Thu, May 31, 2012 at 2:03 PM, Marsh Ray wrote: On 05/31/2012 11:28 AM, Nico Williams wrote: Yes, but note that one could address that with some assumptions, and with some techniques that one would reject when making a better hash -- the point is

Re: [cryptography] Master Password

On 05/31/2012 11:28 AM, Nico Williams wrote: Yes, but note that one could address that with some assumptions, and with some techniques that one would reject when making a better hash -- the point is to be slow, More precisely, the point is to take a tunable amount of time with strong assuranc

Re: [cryptography] Master Password

On 05/30/2012 03:25 PM, Maarten Billemont wrote: I'm currently considering asking the user for their full name and using that as a salt in the scrypt operation. Full names are often lengthy and there's a good deal of them. Do you recon this might introduce enough entropy In the case of salts

Re: [cryptography] Master Password

On 05/30/2012 02:59 PM, Nico Williams wrote: This is why salting is important. They should not be able to build a single rainbow table that works for all cases. In order to be useful, the salt has to be large enough to not have large numbers of collisions across large user populations. Ideal

Re: [cryptography] Master Password

On 05/30/2012 04:06 AM, Maarten Billemont wrote: First of all, thanks for your time and very valuable feedback. On 30 May 2012, at 07:20, Marsh Ray wrote: On 05/29/2012 06:01 PM, Maarten Billemont wrote: Initially, my recommendation for a master password was to use a sufficiently-random 12

Re: [cryptography] Master Password

On 05/29/2012 06:01 PM, Maarten Billemont wrote: Dear readers, I've written an iOS / Mac application whose goal it is to produce passwords for any purpose. I was really hoping for the opportunity to receive some critical feedback or review of the algorithm used[1]. [1] http://masterpassword

Re: [cryptography] can the German government read PGP and ssh traffic?

On 05/25/2012 09:50 AM, Steven Bellovin wrote: Here's Google Translate link to the article (I can't read German). My money is on a protocol or implementation flaw, or possibly just hacks to the end system. http://translate.google.com/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eot

Re: [cryptography] Apple Legacy filevault barn door...

On 05/04/2012 07:40 PM, David I. Emery wrote: Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process's HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile

[cryptography] draft-ray-tls-encrypted-handshake

-encrypted-handshake/ A new version of I-D, draft-ray-tls-encrypted-handshake-00.txt has been successfully submitted by Marsh Ray and posted to the IETF repository. Filename:draft-ray-tls-encrypted-handshake Revision:00 Title: Transport Layer Security (TLS) Encrypted Handshake

Re: [cryptography] data integrity: secret key vs. non-secret verifier; and: are we winning? (was: “On the limits of the use cases for authenticated encryption”)

On 04/25/2012 10:11 PM, Zooko Wilcox-O'Hearn wrote: It goes like this: suppose you want to ensure the integrity of a chunk of data. There are at least two ways to do this (excluding public key digital signatures): 1. the secret-oriented way: you make a MAC tag of the chunk (or equivalently you u

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

On 04/23/2012 08:47 PM, Peter Maxwell wrote: On 23 April 2012 22:41, Marsh Ray mailto:ma...@extendedsubset.com>> wrote: Do you all agree with my assertion that "No one with a clue about PKI security would believe that a revoked cert provides equivalent security from

[cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

sh https://bugzilla.mozilla.org/show_bug.cgi?id=748122 Marsh Ray 2012-04-23 14:18:14 PDT Created attachment 617643 [details] pfd.phonefactor.net.pem User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0 Build ID: 20120410121533 Steps to reproduce: The "C

Re: [cryptography] NIST and other organisations that set up standards in information security & cryptography.

On 04/23/2012 01:53 PM, David Adamson wrote: Ahhh, I think it was a mistake to withdraw MD6. But Ron and his team had dignity and set up higher mathematical standards than NIST (the hash function to be provably secure against the differential cryptanalysis). If you know of actual weaknesses in

Re: [cryptography] NIST and other organisations that set up standards in information security & cryptography.

On 04/22/2012 05:07 PM, Jeffrey Walton wrote: Aren't programs generally written to be fast and take advantage of things like locality of reference? I'd like to see a design that complete violates the design principal. Iterations in a KDF would then be icing on the cake. STRONGER KEY DERIVATION

Re: [cryptography] NIST and other organisations that set up standards in information security & cryptography.

On 04/22/2012 02:55 PM, Jeffrey Walton wrote: This might sound crazy, but I would rather have a NIST approved hash that runs orders of magnitude slower to resist offline, brute forcing attacks. Well, that's what we have KDFs with a tunable work factor like PBKDF2 for. They're generally constr

Re: [cryptography] NIST and other organisations that set up standards in information security & cryptography. (was: Doubts over necessity of SHA-3 cryptography standard)

On 04/22/2012 12:37 PM, Steven Bellovin wrote: The question is not whether there should be a hash function significantly faster than SHA-3, it's whether or not anyone knows how to do it. NIST wanted to stick with that goal, but there weren't enough (possibly weren't any; I'm not sure) submission

Re: [cryptography] workaround for length extension attacks (was: Doubts over necessity of SHA-3 cryptography standard)

On 04/14/2012 06:39 AM, David Adamson wrote: NSA designed SHA-2 to stay in libraries for a long time. Length extension is not an issue for SHA-2 anymore with SHA-512/256. That is a double-pipe hash function perfectly secure against length-extension attack. On 64-bit platforms SHA512 and SHA512/2

Re: [cryptography] workaround for length extension attacks

On 04/13/2012 02:38 PM, James A. Donald wrote: To construct a case where length extension matters, one must contrive a rather dreadful protocol. http://vnhacker.blogspot.com/2009/09/flickrs-api-signature-forgery.html Date Published: Sep. 28, 2009 Advisory ID: MOCB-01 Advisory URL: http://n

Re: [cryptography] workaround for length extension attacks (was: Doubts over necessity of SHA-3 cryptography standard)

On 04/13/2012 01:52 AM, Zooko Wilcox-O'Hearn wrote: HASH_d(x) = HASH(HASH(x)) I pretty much always use the HASH_d technique, and that way I don't have to spend time figuring out what length-extension attacks can or can't do to my designs. But now SHA-2 takes a 50% performance hit on messages

Re: [cryptography] Looking for an "unusual" AKE protocol

On 04/11/2012 03:01 PM, Florian Weimer wrote: * King Of Fun: All clients have the public key of the server, and the server has all of the public keys of the clients. The client can only use its private key for signing. In particular, the client cannot decrypt data that has been encrypted with t

[cryptography] Predictive SSH alternative for vt sessions 'Mosh: An Interactive Remote Shell for Mobile Clients'

http://mosh.mit.edu/ http://mosh.mit.edu/mosh-paper-draft.pdf Abstract This paper describes Mosh, a mobile shell application that supports intermittent connectivity, allows roaming, and provides speculative local echo of user keystrokes. Mosh is built on the State Synchronization Protocol, a new

Re: [cryptography] Doubts over necessity of SHA-3 cryptography standard

On 04/09/2012 07:00 AM, Jeffrey Walton wrote: http://h-online.com/-1498071 none of the five finalists are affected by known attacks on MD5, SHA-1 and SHA-2 and the Merkle-Damgård construction on which all three are based. Well, gee, isn't that enough? True, one thing we've learned from the SH

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

On 04/05/2012 04:12 AM, Ralf-Philipp Weinmann wrote: Do you have statistics on that? I remember newer Microsoft and Apple operating systems supporting L2Sec quite well. And then there are the Cisco abominanations of IPSec that are quite common. But maybe not as common as SSL VPNs. And let's not

Re: [cryptography] MS PPTP MPPE only as secure as *single* DES

Wow the crickets are deafening tonight. :-) On 04/03/2012 02:29 PM, Marsh Ray wrote: yields the complete NT hash with complexity 2^57. The NT hash is a password-equivalent, and it represents the only secret material that goes into the MPPE encryption key derivation. So I point out that one

[cryptography] MS PPTP MPPE only as secure as *single* DES

There is no Diffie-Hellman in the PPTP handshake. AFICT, the MS-CHAPv2 hashes are sent in the clear. Per http://www.schneier.com/paper-pptpv2.html http://www.schneier.com/paper-pptpv2.pdf pg 5 4 MS-CHAPv2: Deriving the 24-byte Response Both MS-CHAPv1 and MS-CHAPv2 use the same procedure to d

[cryptography] Anyone seen this CA before?

Has anyone seen this CA before? Sounds like an interesting business model, even if the site design looks a bit anachronistic. http://print-a-cert.com/ - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mail

[cryptography] Fwd: SHA-3 feedback requested by June 1, 2012

Original Message Subject: SHA-3 feedback requested by June 1, 2012 Date: Fri, 30 Mar 2012 15:06:02 -0400 From: Chang, Shu-jen H. Reply-To: hash-fo...@nist.gov To: Multiple recipients of list Dear Forum members, NIST hosted the third and final SHA-3 Candidate Conference

Re: [cryptography] [OT] Reworked Version of Stuxnet Relative Duqu Found in Iran

On 03/28/2012 10:39 PM, Jeffrey Walton wrote: Hi Guys, From "Reworked Version of Stuxnet Relative Duqu Found in Iran," http://www.securitynewsdaily.com/1642-stuxnet-duqu-iran.html: Duqu's builders also changed its encryption algorithm and rigged the malware loader to pose as a Micros

[cryptography] Key escrow 2012

(Nod to the rest of what you said) On 03/25/2012 11:45 AM, Benjamin Kreuter wrote: The US government still wants a system where encrypted communications can be arbitrarily decrypted, they just dress up the argument and avoid using dirty words like "key escrow." Aside from the deep moral and c

Re: [cryptography] [info] The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)

On 03/24/2012 01:28 AM, J.A. Terranson wrote: Ah... Probably not. Think Jim Bell et al. I suspect it is far more likely that the vast majority of subscribers here are listed in the Potentially Dangerous category, if not the flat out Budding Terrorist label. Oh good grief. Do you even kn

Re: [cryptography] [info] The NSA Is Building the Country's Biggest Spy Center (Watch What You Say)

On 03/22/2012 09:57 AM, Peter Maxwell wrote: From http://blogs.computerworld.com/19917/shocker_nsa_chief_denies_total_information_awareness_spying_on_americans?source=CTWNLE_nlt_security_2012-03-22 "Remember," former intelligence official Binney stated, "a lot of foreign government stuff we've

Re: [cryptography] [info] The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)

On 03/21/2012 08:54 PM, ianG wrote: Or, is the advantage that CBC and other modes have - obfuscation of the ciphertext with variation stolen from the plaintext - of such low value in the scheme of things that these things make no difference? Just thinking out loud here. CBC certainly seems li

Re: [cryptography] [info] The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)

On 03/19/2012 07:15 PM, ianG wrote: Right, so thinking about it some more, traffic analysis is the goal. But AES-cracking is the cover-plan. "We're almost there, the new computer being built this year will make a huge difference, a real breakthrough!" Perfect. (They have a mandate for the sec

Re: [cryptography] Fwd: General Availability of StrongKey CryptoCabinet

On 03/19/2012 06:22 PM, Arshad Noor wrote: FYI. P.S. Since I did not elaborate what the RC3 architecture is, you can read it at any one of the following sites: * IBM's developerWorks.com. http://ibm.co/rc3dw Regulatory compliant cloud computing security ... in a box! Brilliant! I liked the pa

Re: [cryptography] Number of hash function preimages

On 03/09/2012 05:25 AM, Florian Weingarten wrote: Hello list, first, excuse me if my questions are obvious (or irrelevant). I am interested in these questions too. This is what I pick up from following the SHA-3 list. Someone else please jump in if I'm off the mark. I am interested in the

Re: [cryptography] The NSA and secure VoIP

On 03/01/2012 09:31 PM, Jeffrey Walton wrote: Interesting. I seem to recall that cascading ciphers is frowned upon on sci.crypt. I wonder if this is mis-information Not mis-information. You could easily end up enabling a meet-in-the-middle attack just like double DES. https://en.wikipedi

Re: [cryptography] trustwave admits issuing corporate mitm certs

On 02/28/2012 10:42 AM, Marsh Ray wrote: By forcing the phishing attack to involve the legitimate site, it does one other thing: it puts the site in a position to require strong mutual authentication. Let me clarify one little detail: web browsers will still send the HTTP request (including

Re: [cryptography] trustwave admits issuing corporate mitm certs

On 02/28/2012 07:34 AM, The Fungi wrote: "Your login was successful, but due to recent security concerns we also require a one-time verification of your personal information. Please now enter the following... Yes, but all of this falls in the category of "user authenticates the website". So

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

On 02/26/2012 09:08 PM, Peter Gutmann wrote: Marsh Ray writes: Except that as it is stipulated that the captors are "not stupid", we must assume they are perfectly rational actors who will have worked out this strategy too. It's not an exercise in game theory, it's

Re: [cryptography] trustwave admits issuing corporate mitm certs

On 02/26/2012 09:34 AM, Andy Steingruebl wrote: On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray mailto:ma...@extendedsubset.com>> wrote: Still it might be worth pointing that if Wells Fargo really wanted to forbid a Trustwave network-level MitM, SSL/TLS provides the capability to enforc

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

On 02/26/2012 11:35 AM, Jon Callas wrote: On Feb 25, 2012, at 3:18 PM, Kevin W. Wall wrote: On Sat, Feb 25, 2012 at 2:50 AM, Jon Callas wrote: I asked them about the case where someone has TrueCrypt but doesn't have a hidden volume, what would happen to someone doesn't have one? Their respons

Re: [cryptography] trustwave admits issuing corporate mitm certs

On 02/25/2012 05:55 PM, John Case wrote: When all is said and done, and Jane Doe cube peasant signs away her life, and the browsers all look the other way and "every CA is doing it" ... after all of that, does Wells Fargo actually consent to your bullshit Fortune 30,000 firm monitoring their onl

Re: [cryptography] US Appeals Court upholds right not to decrypt a drive

On 02/24/2012 12:14 PM, Steven Bellovin wrote: http://volokh.com/2012/02/23/eleventh-circuit-finds-fifth-amendment-right-against-self-incrimination-not-to-decrypt-encyrpted-computer/ It's worth noting that some kind folks from the EFF gave a fascinating talk at the recent Shmoocon which dealt

Re: [cryptography] Bitcoin in endgame

On 02/24/2012 01:49 PM, Thor Lancelot Simon wrote: Is the major purpose of this mailing list really the discussion of political and social theory? I thought I had subscribed to cryptography@randombit.net, not "I already spent four years doing political science, thanks." It is apparently diffe

Re: [cryptography] Duplicate primes in lots of RSA moduli

On 02/23/2012 02:27 PM, Ondrej Mikle wrote: On 02/22/2012 10:55 PM, Marsh Ray wrote: I'm putting myself in the position of an engineer who's designing the logic and writing some low-level firmware for the next consumer grade $50 blue box home router/wifi/firewall appliance: ===

Re: [cryptography] Duplicate primes in lots of RSA moduli

On 02/22/2012 08:44 PM, Peter Gutmann wrote: Marsh Ray writes: Obviously this story is made up and probably not even fully consistent. But having worked a little bit around hardware engineers it seems to me like a very plausible scenario, if not typical. It's actually pretty spot-on

Re: [cryptography] Duplicate primes in lots of RSA moduli

On 02/22/2012 05:49 PM, Jeffrey Walton wrote: Remember, OpenSSL gave tacit approval: "If it helps with debugging, I'm in favor of removing them," http://www.mail-archive.com/openssl-dev@openssl.org/msg21156.html. The full quote from Ulf Möller is: Kurt Roeckx schrieb: What I currently see as

Re: [cryptography] Duplicate primes in lots of RSA moduli

On 02/22/2012 09:32 AM, Thierry Moreau wrote: While commenting about http://www.cs.bris.ac.uk/Research/CryptographySecurity/knowledge.html , Marsh Ray wrote: It talks about entropy exclusively in terms of 'unpredictability', which I think misses the essential point necessary fo

Re: [cryptography] Duplicate primes in lots of RSA moduli

On 02/21/2012 08:31 PM, Kevin W. Wall wrote: Apologies for this being a bit OT as far as the charter of this list goes, and perhaps a bit self-serving as well. I hope you will bear with me. Meh. I think I've seen worse. :-) To a degree, I think it is more ignorance than it is outright incompe

Re: [cryptography] Duplicate primes in lots of RSA moduli

On 02/18/2012 03:43 PM, Jeffrey I. Schiller wrote: My concern about virtual machines is that the hypervisor layer may reduce the entropy in these inter-arrival times by quantifying them into discrete time intervals. Yes, hypervisors even introduce quantization error into the high-resolution t

Re: [cryptography] Duplicate primes in lots of RSA moduli

On 02/17/2012 02:51 PM, Jon Callas wrote: On Feb 17, 2012, at 12:41 PM, Nico Williams wrote: I'd like for /dev/urandom to block, but only early in boot. Once enough entropy has been gathered for it to start it should never block. One way to achieve this is to block boot progress early enough

Re: [cryptography] Duplicate primes in lots of RSA moduli

On 02/17/2012 01:32 PM, Thierry Moreau wrote: Isn't /dev/urandom BY DEFINITION of limited true entropy? It depends on the model you use. In the model that makes sense to me, one in which the attacker has finite computational resources (i.e., insufficient to brute-force the search space of y

Re: [cryptography] Duplicate primes in lots of RSA moduli

On 02/16/2012 08:42 PM, Jeffrey I. Schiller wrote: I've read the code, I know how it works... That's my point. By adding additional entropy (in this case the time) between the generation of P and Q you setup a situation where it is more likely that two hosts will share a P but not a Q. It is e

Re: [cryptography] Duplicate primes in lots of RSA moduli

On 02/16/2012 11:05 AM, Jeffrey I. Schiller wrote: What I found most interesting in Nadia's blog entry is this snippet of (pseudo) code from OpenSSL: 1 prng.seed(seed) 2 p = prng.generate_random_prime() 3 prng.add_randomness(bits) 4 q = prng.generate_random_prime() 5

Re: [cryptography] Duplicate primes in lots of RSA moduli

On 02/14/2012 09:02 PM, Jon Callas wrote: If you implement something like the Certificate Transparency, you have an authenticated database of authoritative data to replicate the oracle with. How important is it that the data be authenticated/authoritative in this case? Waving my hand and m

Re: [cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

On 02/14/2012 02:56 PM, Ralph Holz wrote: BTW, what we do not address is an attacker sending us many forged chains and/or traces. We don't want clients have to register with our server and obtain an identity. That's a sore point. Aren't the certs of interest those that chain to a well-known ro

Re: [cryptography] trustwave admits issuing corporate mitm certs

On 02/12/2012 10:24 AM, John Levine wrote: They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. As the article made quite clear, this particular cert was used to monitor traf

Re: [cryptography] Chrome to drop CRL checking

On 02/07/2012 05:41 PM, Andy Steingruebl wrote: I don't remember Adam saying in his blog post or in any other posts, etc. that this is the only change they will make to Chrome. Surely. At the same time I think they did get fairly tired or hard-coding a CRL list into the Chrome binary itself

Re: [cryptography] Chrome to drop CRL checking

On 02/06/2012 09:00 PM, Jonathan Katz wrote: One question, though. Langley writes: "If the attacker is close to the server then online revocation checks can be effective, but an attacker close to the server can get certificates issued from many CAs and deploy different certificates as needed." A

Re: [cryptography] Well, that's depressing. Now what?

On 01/31/2012 05:21 AM, ianG wrote: major software product that still calls self-signed certificates "snake-oil" certificates. Which is upside down, the use of the term itself can be snake-oil recursively. That would make it 'Ouroboris oil'. Yes, easy. QKD requires hardware. A laser+receiver

Re: [cryptography] Well, that's depressing. Now what?

On 01/28/2012 11:22 AM, Nico Williams wrote: Let's turn it around: what QKD products do you think are not snake oil today? Please be specific (list products currently on sale) and back up the assertion with a rationale, remembering that this is in comparison to classical cryptography technology.

Re: [cryptography] Gregory Perry's follow-up to the FBI OpenBSD / OCF backdoors thread (was: Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s))

On 01/15/2012 07:18 PM, Jonathan Thornburg wrote: On Sat, 14 Jan 2012, Alfonso De Gregorio wrote: Back in December 2010, we discussed the OpenBSD IPSec backdoor allegations. Two days ago, Cryptome.org published the Gregory Perry's follow-up to the this story. FBI OpenBSD Backdoors and RSA Ciphe

[cryptography] Fwd: [TLS] Fwd: New Non-WG Mailing List: therightkey

Original Message Subject: [TLS] Fwd: New Non-WG Mailing List: therightkey Date: Fri, 13 Jan 2012 18:26:18 + From: Stephen Farrell To: s...@ietf.org , pkix , t...@ietf.org , dane FYI please sign up if interested but wait a few days to give folks a chance to sign up be

Re: [cryptography] "folded" SHA1 vs HMAC for entropy extraction

On 01/05/2012 05:59 PM, Thor Lancelot Simon wrote: FWIW, using HMAC like this is the "extract" step of the two-step extract-expand HMAC based construction that is HKDF From http://tools.ietf.org/html/draft-krawczyk-hkdf-01 2.2. Step 1: Extract PRK = HKDF-Extract(salt, IKM) Options:

Re: [cryptography] "folded" SHA1 vs HMAC for entropy extraction

On 01/05/2012 03:46 PM, Thor Lancelot Simon wrote: I am asking whether the use of HMAC with two different, well known keys, one for each purpose, is better or worse than using the "folded" output of a single SHA invocation for one purpose and the unfolded output of that same invocation for the ot

Re: [cryptography] How are expired code-signing certs revoked?

On 12/21/2011 04:24 PM, Michael Nelson wrote: Somewhat related: The IEEE is asking for proposals to develop and operate a CA as a part of their Taggant System. This involves signing to validate the usage of packers (compressing executables). Packers can make it hard for anti-virus programs to s

Re: [cryptography] OpenDNS

On 12/08/2011 01:09 PM, jd.cypherpunks wrote: David Ulevitch is rolling out OpenDNS http://david.ulevitch.com/ What do you think? I assume you're talking about their new DNSCrypt application. They seem to be saying it's an implementation of DJB's DNSCurve protocol. https://twitter.com/#!/david

Re: [cryptography] How are expired code-signing certs revoked?

On 12/08/2011 09:16 AM, Darren J Moffat wrote: On 12/07/11 14:42, William Whyte wrote: Well, I think the theoretically correct answer is that you *should*... these days all the installers can be available online, after all. Except when the installer CD you need is the one for the network drive

Re: [cryptography] How are expired code-signing certs revoked?

On 12/07/2011 08:12 PM, lodewijk andré de la porte wrote: I'm afraid "far more effective" just doesn't cut it. Android has "install .APK from third party sources" which you'll engage whenever you install an APK without using the market, trusted or not. That's why I didn't use Android as an exam

Re: [cryptography] How are expired code-signing certs revoked?

On 12/07/2011 07:01 PM, lodewijk andré de la porte wrote: I figured it'd be effective to create a "security awareness group" figuring the most prominent (and only effective) way to show people security is a priority is by placing a simple marking, something like "this site isn't safe!" I thou

Re: [cryptography] How are expired code-signing certs revoked?

[Really this is to the list, not so much Jon specifically] On 12/07/2011 02:10 PM, Jon Callas wrote: Let's figure out what we're trying to accomplish; after that, we can try to figure out how to do it. I think that's the central problem we're dealing with. There is scads of mechanism and

Re: [cryptography] How are expired code-signing certs revoked?

On 12/07/2011 09:11 AM, d...@geer.org wrote: Another wrinkle, at least as a logic problem, would be whether you can revoke the signing cert for a CRL and what, exactly, would that mean -- particularly if the last known good date is well astern and hence the revocation would optimally be retroact

[cryptography] DTLS implementation attack?

Anyone have any more info on this? Even just a CVE or 'fixed in' version would be helpful. http://www.isoc.org/isoc/conferences/ndss/12/program.shtml#1a Plaintext-Recovery Attacks Against Datagram TLS Kenneth Paterson and Nadhem Alfardan We describe an efficient and full plaintext recovery at

Re: [cryptography] Digest comparison algorithm

On 12/02/2011 01:21 AM, Marsh Ray wrote: Out of a set of 4096 (salt values) random functions each mapping { 1...256 } -> { 0 ... 255 } samples H[0] values how many would we expect to have all samples map to the same value, i.e., have a codomain size of 1 ? s/codomain/image/ - Ma

Re: [cryptography] Digest comparison algorithm

On 12/02/2011 12:25 AM, Solar Designer wrote: On Thu, Dec 01, 2011 at 11:16:14PM -0600, Marsh Ray wrote: 1. The largest cluster will represent the case where H[0] fails the comparison in strcmp(). 2. The second cluster will be on the order of a few machine cycles longer, representing times

Re: [cryptography] Newbie Question

On 12/01/2011 11:11 PM, Sampo Syreeni wrote: On 2011-12-01, Randall Webmail wrote: I am an almost-complete greenie WRT crypto, which is why I'm here to learn. What is the proper thing to do when one of those things pops up? (It is NOT a rare event). They mostly mean you no harm. You don't

Re: [cryptography] Digest comparison algorithm

On 12/01/2011 10:15 PM, Solar Designer wrote: On Thu, Dec 01, 2011 at 09:15:05PM -0600, Marsh Ray wrote: When you can evaluate MD5 at 5.6 GH/s, accessing even a straight lookup table in main memory is probably a slowdown. Yes, but those very high speeds are throughput for large numbers of

Re: [cryptography] Digest comparison algorithm

On 12/01/2011 06:15 PM, Jerrie Union wrote: How should the attacker mount the attack after hash[0] has been recovered? He tests passwords that yield the identified H[0]. I guess for a given digest D if the attacker guess the character at position 1 (D[1]) by supplying the secret S there’

Re: [cryptography] Digest comparison algorithm

On 12/01/2011 04:37 PM, Jerrie Union wrote: public boolean check(digest, secret) { hash = md5(secret); if (digest.length != hash.length) { return false; } for (i = 0; i< digest.length; i++) { if (digest[i] != hash[i]) { return fals

Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

On 12/01/2011 11:09 AM, Ben Laurie wrote: On Thu, Dec 1, 2011 at 4:56 PM, Marsh Ray wrote: http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html They appear to

Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

On 11/30/2011 06:44 PM, Adam Back wrote: Are there really any CAs which issue sub-CA for "deep packet inspection" aka doing MitM and issue certs on the fly for everything going through them: gmail, hotmail, online banking etc. http://www.prnewswire.com/news-releases/geotrust-launches-georoot-

Re: [cryptography] Auditable CAs

On 11/30/2011 12:01 PM, Ben Laurie wrote: On Wed, Nov 30, 2011 at 5:16 PM, Marsh Ray wrote: Perhaps you define this category of "publicly visible certs" as "certs which display without warnings on default-configured browsers when presented by the correct site". ... On

Re: [cryptography] Auditable CAs

On 11/30/2011 05:24 AM, Ben Laurie wrote: On Wed, Nov 30, 2011 at 1:18 AM, Marsh Ray wrote: Perhaps the relevant property is "certs issued by a browser-trusted CA or subordinate" regardless of their visibility. If they are not visible, why would we care whether they are in the

  1   2   3   >