Slashdot Mirror
Domain: counterpane.com
Stories and comments across the archive that link to counterpane.com.
Comments · 629
-
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
Hrefs, in order..
Bruce's main site.
Information on Skipjack
Information on impossible-differential cryptanalysis
Information on attacks unknown to the NSA
About the Windows NSAKEY flap
Probable NSA backdoors
Information on the Blowfish algo
Information on the Twofish algo
Speed comparison of known algos
Speed comparison of the AES candidates
Summary of attacks on various algos
Breaking crypto isn't the best way to beat security. Article 1 Article 2
Information on the Solitare algo
Information on the Yarrow algo
Importance of peer-reviewed crypto
Comments on propriatary encryption
Dismissal of cracking contests
You say you can't break it; well, who the hell are you?"
Twofish team's published papers
David Wagner's published papers
So you wanna become a cryptographer?
Information on side-channel attacks
Information on power-analysis attacks
More information on side-channel attacks
Article on Quantum computing
The problems with the public-key infrastructure
The problem with longer keys
l0phtcrack
Biometrics as keys? -
small correction
I believe the man's name is Bruce Schneier.
Not Schneir.
See his website. -
"Password Safe" for the PalmCan you recommend a program available for PalmOS that has the same features (and the same level of security) as Password Safe?
I could really use a utility like this -- although first, I have to save up enough quarters to get a Palm machine -- but even if I had source code, I wouldn't be able to distinguish a good security implementation from a bad one.
-
Solitaire (Peer Review Status)
-
Solitaire (Peer Review Status)
-
Re:Waimea?
You are absolutely correct... I will submit the Gnuidea design ideas for Waimea to professionals like Bruce Schneier of Counterpane Systems for review and will GPL everything so people can point out all my flaws and hopefully, in time, we can make something really really good.
Justin -
Re:On the Golden Age of cryptography...
One-time pads (OTPs) are actually "information- theoretically secure." However, a true OTP has to be generated from a truly random source. Most computers are therefore physically incapable of producing OTPs. (Being deterministic state machines, they usually have no "source" of "randomness".) And, as no-one has yet quoted Knuth or von Neumann in this thread, I get to: "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." Netscape's security was once broken by analysis of the amount of time the machine spent generating a "random" number.
Book codes such as the one you mention are actually very, very far from one-time pads. Books are certainly not random, nor are they particularily secret.
Another requirement of a theoretically secure OTP is that it truly is used only once. The Venona project was the spectacular result of the US breaking the Soviet Union's OTP system. For whatever reason, the Soviet Union clerks who produced OTP keys needed to increase production. OTP keys were supposed to be generated by putting two sheets of paper in a typewriter with a carbon between them and entering random characters. The "clever" clerks put four sheets of paper in their typewriters (with two carbons) and doubled their productivity. Once the duplicate keys were recognized by the US codebreakers, the messages were then attacked and many were broken. For a good read (minus the detailed math, sorry,) check out Venona: Decoding Soviet Espionage in America by John Earl Haynes.
For a simple explanation of the theory behind the security of a one-time pad, read Applied Cryptography by Bruce Schneier.
Again, one-time pads are secure, but only as long as the keys are 1) random, 2) secure, and 3) not reused. Book codes are not one-time pads.
-
The main problem with Electronic Democracy...
...is that, as Bruce Schneier and a recent NYTimes article both point out, it re-introduces the problem of voter coercion that was eliminated by public, manned, polling places. In the polling booth, your vote is private, and public representatives can vouch for that fact. At home/work, others can buy or threaten you to vote a particular way and can watch to ensure that you follow-through.
--LinuxParanoid, apparently not just paranoid about Linux-related things -
Schneier and patents
Bruce Schneier is a very nice guy and has done a lot to popularize cryptography and fight common misconceptions about cryptography. However, I still think that if he had made a breakthrough in cryptography of the same magniture as RSA he would have patented it.
The fact that he made Blowfish free is not an indication - what would he have to gain by patenting it? Another patented symmetric algorithm which nobody but Counterpane would use? This way, he got a lot of publicity and good feelings from the community. -
Windows NT needs 50..3000 security changes.From: crypto-gram
Many people asked me about my comment last issue about Windows NT needing over 300 security changes to make it secure. I queried the Usenet newsgroup comp.os.ms-windows.nt.admin.security asking if it was folklore or truth, and got several answers. The consensus seemed to be that the number was somewhere between 50 and 3000, and 300 wasn't an unreasonable estimate. A good checklist is available here: http://people.hp.se/stnor/ And see also: http://www.trustedsystems.com/NSAGuide.htm
-
I smell a hoax
If this is true it would be a huge breakthrough for the computing field. Why does the story give so few details. I'm going to wait to see what Bruce Schneier says about it in his newsletter (if he even says anything).While I'm at it, people, please learn the difference between symmetric and public key systems and bits and bytes. You look quite silly if you don't. Bruce's site (or book) is a good place to start looking for a clue.
-
I smell a hoax
If this is true it would be a huge breakthrough for the computing field. Why does the story give so few details. I'm going to wait to see what Bruce Schneier says about it in his newsletter (if he even says anything).While I'm at it, people, please learn the difference between symmetric and public key systems and bits and bytes. You look quite silly if you don't. Bruce's site (or book) is a good place to start looking for a clue.
-
You're doing the NSA's job for them!
The conclusions of those "people out there" are not based on anything resembling a fact. If this sort of mindless, groundless pessimism puts even one person off encrypting just one email message with the best tools we have (PGP, GPG etc) then the NSA have done part of their job without spending a single compute cycle.
Learn a little about how modern crypto works (The Cryptogram is a good place to start). Read the descriptions of some of the AES candidates: Serpent, RC6 or Rijndael might be good ones to start with. Even in the supremely unlikely case that the NSA can crack everything we use, it would still cost them something in compute cycles, and encrypting all the world's email would still put a significant barrier in the path of their intelligence-gathering activities.
-- -
Re:This is already in use in London, UKWhile there is nothing to say against the intentions and possible benefits of this technology, building such a network creates a huge potential for misuse:
who has access to this system?
how long is the data stored?
how secure is the system (tampering)?
A more "democratic" system would be the one invented by Neal Stephenson where everyone wears a camera with hotlink to the police station. Kind of a visual 911.But even that creates a society I wouldn't want to live in. So, I cannot find anything cool about it...
For reasons why biometrics isn't as good as you might think, you can read this article by Bruce Schneier.
-
No response? Encryption?!I'm surprise that the offical City of Ruston web page has remained unchanged through all this publicity. Even the Ruston High web site lacks any responce to this. In fact, the Ruston High School web site dates back to 1996 and still lists Randy Moore, not Dr. Charles Scriber, as principal. Someone really should update these sites to keep up to date with the issues that get their town national coverage.
But... what really bothers me the most about this story is how "Numeric Code 39" is refered to as encryption. Even one of the students, Jonathan Washington, opposing use of social security numbers on student ids states on his web page that "The barcodes on the ID Badges at Ruston High School are encrypted in what is called Numeric Code 39." At least Jonathan Washington's web page goes on to explain a coding system which clearly is not encryption. The WorldNet Daily's interview of "Dr." Scriber is much more offensive. He defends the use by stating that nowhere in the Social Security Act is there "any language pertaining to the use of Social Security numbers in encrypted codes."
SO WHAT! It is not like *encrypted* codes are being used! Where did this guy get his doctoriate from? It seems like some places will provide a "Dr." to go in front of somebody's name for accomplishing openning a box of crackerjacks! Sheesh.
I wish World Net Daily would interview someone where it means something when they say the word "encryption." Have published debate on Numeric Code 39 "encryption" between Dr Scriber and Bruce Schneier before talking b.s. about if the Social Security Act allow/disallows encrypted coded use of SSNs. Numeric Code 39 isn't even a one way hash. It is just a common one-for-one representation.
-
Open Source and Security
Interestingly, another major security expert, Bruce Schneier, in his Sept. 15 CRYPTOGRAM , praises Linux for its relative security over Solaris. (Schneier declines even to compare Linux to Windows.)
Schneier attributes Linux's enhanced security to its being open source.
So to say that Linux is insecure gives rise to the question, "Insecure as compared to what?".
Of the three BSD's, OpenBSD is the most secure. It is also Canadian, free from US export restrictions.
Since, as Schneier suggests, open source enhances security and since OpenBSD is the most secure, we might conclude that in some broad sense the term "open source" extends to freedom from export controls as well as freedom from various intellectual property restraints. -
CryptoAPI does not encryptOne thing to bear in mind is that the CryptoAPI does not encrypt. Rather, it's a "method-independent" API for calling encryption modules. Microsoft uses the CryptoAPI so that they can ship weak encryption modules for export, and strong ones for U.S. use, without any programs having to be recompiled to, e.g., compensate for the fact that 3DES uses 168-bit keys rather than 56-bit keys like the export DES (assuming MS got permission to raise it from 40 bits).
It is possible for a "middleware" product like the CryptoAPI to be insecure, but not likely. I still wouldn't trust Microsoft's own encryption modules though (the ones actually CALLED by CryptoAPI). For one thing, a good PRNG to get randomly-distributed keys is VERY hard to write. I just finished writing one because every distributed PRNG that I came across produced predictable keys (meaning that you don't have to brute force all possible keys to break the encryption, just the keys produced by the pseudo-random number generator, which proved not to be so random!). I seriously doubt that Microsoft got the PRNG right, and Bruce Schneier's own "Yarrow" PRNG is perfect proof of that (Bruce has a paper on his site, www.counterpane.com, detailing attacks on a PRNG that will let you crack encryption in MUCH less time than a pure brute-force attack).
-E
-
Technological measures...The only problem with most of this debate so far is that it's next to meaningless. The question was to ask if there were any initiatives to make Internet-based voting workable in the USA. As far as I know (which isn't much on the political side), no, there aren't.
However, this doesn't mean that it can't be done. <pulls well-thumbed copy of Applied Cryptography, 2nd Edition down from its shelf> Chapter 6 in this book has a bunch of 'Esoteric Protocols', including 'Secure Elections'. I'd wholeheartedly recommend anyone doing any research into this field to get this book.
In a nutshell, there are at least 6 (and sometimes more) different requirements for a protocol that can be used for secure voting. These are:
- Only authorized voters can vote.
- No one can vote more than once.
- No one can determine for whom anyone else voted.
- No one can duplicate anyone else's vote (meaning, they can't just say "okay, I'll just make it easy and vote the way Bob did over there").
- No one can change anyone else's vote without it being discovered (and invalidated).
- Every voter can make sure that his vote has been taken into account in the final tabulation.
- Everyone knows who voted and who didn't.
There are very simple voting protocols, and the book describes the reasons these protocols don't meet the aforementioned requirements. (Some of these fall prey to the 'clipper chip' paranoia... "ohmigod, the government (or 'my party', etc) can figure out that I didn't vote for them!!!". Since voting's supposed to be -completely- anonymous from the time you're in the booth to the time you're not... I see this as a valid concern.)
There's a lot of useful things to be found in this book, and again, I wholeheartedly recommend it. There's undoubtedly been more research done in the 4 years since it was published; however, I've not been keeping up on that portion of the literature.
References:
_Applied Cryptography_, 2nd Edition, by Bruce Schneier, ISBN 0-471-11709-9. pp. 125-134. http://www.counterpane.com
Some of the above was taken directly from the book. Since I don't know HTML well enough to be able to format this the way it's supposed to be formatted in that case, please don't complain about my lack of proper formatting.
-
Already reported in April CryptoGramIn the April CryptoGram Bruce Schneier writes about the threat of viruses and trojans modifying verification keys:
Microsoft had the foresight to include two root-level Authenticode certificates, presumably for if one ever gets compromised. But the software is designed to authenticate code if even one checks out. So a virus can replace the authenticode spare certificate. Now rogue software signed with this rogue certificate verifies as valid, and real software signed by valid Microsoft-approved companies still checks out as valid.
The wrong assumption is that is is a result of Microsoft foresight - the leaked debug symbols reveals the second key to be an NSA key. The analysis about being able to replace one either voluntarily or maliciously is still correct.
-
Already reported in April CryptoGramIn the April CryptoGram Bruce Schneier writes about the threat of viruses and trojans modifying verification keys:
Microsoft had the foresight to include two root-level Authenticode certificates, presumably for if one ever gets compromised. But the software is designed to authenticate code if even one checks out. So a virus can replace the authenticode spare certificate. Now rogue software signed with this rogue certificate verifies as valid, and real software signed by valid Microsoft-approved companies still checks out as valid.
The wrong assumption is that is is a result of Microsoft foresight - the leaked debug symbols reveals the second key to be an NSA key. The analysis about being able to replace one either voluntarily or maliciously is still correct.
-
NSA's text search is not fooled by random keywords
Those random keywords most probably don't set off the spook detectors. The NSA sells the technology to scan and filter through text to big business. They actually have advertisements for this. It is more sophisticated than just a keyword search -- it actually understands the grammars of several languages. It has been specifically developed to not have false positives due to random keywords. I think this was posted somewhere on Counterpane Systems originally, but am not 100% sure. I'll look for it and if I find it, I'll post the link here in a reply to this message.
-
Secure Web Mail analysisI've mentioned Hushmail as a secure alternative to Hotmail before... It seems there are still some concerns. Here is Bruce Schneier's analysis. Also interesting is HushMail's reply. (Hey, Hushmail uses Blowfish!)
Also noteworthy is that HushMail released their source code.
If you ask me, it beats Hotmail hands down.
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
-
Nothing wrong with web freemailers......just most current web freemailers. Web-based email can be really convenient. With more and more web-only free public terminals around, it's becoming a more standard and easier way to read your email than telnet.
What's needed is a good, free, SECURE web-based freemail. There have been a number of such attempts, such as HushMail, etc. - but all are pretty lacking. A good overview of "secure" web-based mailers can be found at Counterpa ne.
It's time for people to start rejecting inherently insecure solutions.
-
...and trusted by the general publicA few months back, a letter to Crypto-Gram pointed out that people use security measures that they believe in. People trust ink-on-paper signatures, even though security experts know how easy it is to forge a signed paper document; therefore, the authorization mechanisms that actually exist in our society rely heavily on such signatures.
Some day, I hope, every junior-high-school student will learn the basic cryptographic concepts behind PGP and its kin. Then, most people will know enough about cryptography to evaluate products that use published cryptographic protocols and shun products that don't. (I can dream, can't I?) Until then, most people will continue to trust ink on paper more than anything else, and the field of commercial cryptography will be littered with buggy software, snake oil, and Trojan horses.
-
Not a one time pad :-(This isn't a one time pad, and it's not terribly secure.
Why This Program Isn't Very Secure
Audio data is not very random. It contains lots of patterns. Record a sound file (or save an MP3 as a WAV) and look at the file. Some bytes show up more frequently than others. So at a minimum, an attacker can probably perform some messy statistics and discover some general things about your file--which byte values show up more often than others, for example.
Some Good Things About This Program
This program uses a poor encryption algorithm but a very large key. So even if parts of the file are decrypted, other parts will always be garbage. Most attacks on this progam will give probabilities, not definite results.
How to Fix It
Remove the one-time-pad entirely. Replace it a quality block cypher (this allows you to use the same key more than once, which you can't ever do with a one-time pad). Use your audio file (or other file) to generate a large key. Decide on a way to use your enormous key effectively.
How to Lean More
Read Applied Cryptography. Modern cryptography is very, very good, and there's no reason to fool around with one-time-pads and pseudo-random number generators.
-
AntiSniff timeline...
-
Re:Excuse me but...
Um, let's just hope Bruce Schneier doesn't log in to slashdot. That "informative article" did a horrible job confusing algorithmic obscurity with password "obscurity" (ie, secrets). PLEASE, if you want to know something about crypto, read information from established crypto experts (Bruce, for example...). Check out Bruce Schneier's company website for essays, and a link to his crypto-gram newsletter. Pick someone else if you want, but trust crypto experts first. BTW, does Matthew (the article's author) have a crypto background?? (He may well have one, I'm just not aware of it...)
-
Re:Asymetric vs. Symetric & I'm not worried...
Quick! Run, don't walk, and find yourself a copy of Applied Cryptography!!!
Read read read read it! Right before bed every night, and right when you wake up in the morning. Peruse the web in search of information (searches for terms like PGP, RSA, Diffie, Public Key, Key Server, Cryptography, Cryptanalysis, security, privacy and other related terms will probably yield some more helpful info...
Counterpane is probably one of the best places to start. Read the white papers there. Subscribe to the newsletter. Check out the links. You might want to check out RSA as well. They've got a bunch of FAQ's on their website, most of which will answer your questions. You may also want to check out PGP (that link's only if you're not a business... The PDF manual has a lot of info as to how the product works. Verisign will probably have some more information... I haven't been there recently, but i'm sure you can unearth something...
Anyone else want to pile on some more resources for this guy (or girl)?
(That was still a lot less typing than answering all those questions, and will probably supply better information that I could type in an hour...)