Slashdot Mirror
Ask Security/Cryptography Expert Paul Kocher
Paul Kocher is unquestionably one of the highest-profile computer and network security experts around. He's president of Cryptography Research, Inc. and one of the architects of SSL 3.0. The floor is now open. Please try not to ask questions that can be answered with a few minutes' worth of online research. We'll post Paul's answers to 10 of the highest-moderated questions soon after he gets them back to us. Update: 03/13 18:18 GMT by M : Let's try this one more time, this time with feeling.
While studying cryptanalysis, I've been learning about a number of interesting attacks such as timing attacks and differential power attacks (your speciality, if I recall). While these attacks certainly seem to help cryptanalysis of various ciphers, how practical are they in terms of real security? That is to say, what are the chances that these methods are actively being used by attackers?
Should the general public have access to powerful and secure computing as a right, or should cryptography be limited to banks, government agencies, etc.? Do you believe that, as cryptography becomes more prevalent and as computing power increases we will see an increase in criminal activity over the web? And if so, what is the best way to curb illegal activities on the Internet, for example do you give the keys to the Governments that request them?
fkgsdf%LDjöofjnvBNlöjbfjsbyv%$bhlvy$knvnlkblnbxcjv byx$LJKFhgsfKNV4346Khndjbgvkbhdfgföljny kny_FYFKdfknyY_LirhrhaeihÖFHGsfihFYbjbK453KhdsFkbs KbfknvyVNkKnfkgnbxfdkn445k3nlDKNAdsSAdkfasdfKLNKdf nDFKgnentk4n4ktn4knt4 kaKdfnjaSDKfnaDKfnaK4n4knaKGAna4ank495p9zhthgugbhf hjbernara?
Fleur de Sel
Is there any feasable way to make SMTP authenticated so spammers can't spoof their IP addresses? Everyone keeps asking but noone seems to know if it's possible.
Therefore, "Please try not to ask questions that can be answered with a few minutes' worth of online research." should be rewritten as, "Please try not to ask or moderate up questions that can be answered with a few minutes' worth of online research. "
They can barely run the site without breaking things left and right. They can't even post your article without screwing it up. Plus, the inane commentary of dimwit "editors" leaves much to be desired, and they actually expect people to pay money for subscriptions!
For every advancement in computer security, there seems to be a social backdoor involving the humans that use the system. Is there any research being done on figuring how to effectively solve the social engineering problem at the software/hardware level somehow?
~ The Fudge Report @ http://mywebpages.comcast.net/fudgereport/
It has been said that it is just as important (if not more so) to focus on educating people on what cryptography can do for them as it is to research crypotography to come up with important breakthroughs. What is your opinion on this? Should more focus be put on educating the public?
How do you sleep at night knowing your products protect terrorists, child molestors, and pirates?
I'm guessing you piss the bed often...
What should manufacturers of networking equipement and software do help their customers security efforts?
In Crypto there's the NSA and there's everybody else. It's also well known they're years ahead of the pack etc.
My first question is, how confident are you, as a crypto person, that you're not inadvertently peddling snake oil, that is, crypto the NSA has already cracked?
Second, the NSA allegedly has secret patents it uses to suppress new crypto. Do you think this is a significant inhibiter on research or am I worried for nothing?
It's Christmas everyday with BitTorrent.
Where do you find the most resistance is in integrating/using a new standard such as this?
- The software developers
- The software distributors
- The end users
My first guess would be the end users, but I am curious as to which group gives you the most problems.
Given that an SSL connection is cryptographically secure, and that any security is only as strong as its weakest link...
How secure do you really think an SSL connection is when both parties are having to trust certificates signed by third parties? I don't know how Verisign store their root keys, nor do I know how they verify the identity of someone before issuing a certificate. So can I really trust that a certificate signed by them is valid and can you see any way of removing the trust element?
Z.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
How do you think the recent discovery of a formulaic test for the primality of a number might affect current cryptographic systems? Is there a way to exploit this method into a better system for factoring large primes?
:wq
+5 Insightful
What is the best way to protect against DDOS? Going from what I have seen there have been a number of ideas such as getting any inbound routers to check that they have a path for any incoming packets and Filter RF1918 address space. Also rate limiting helps but none seem to be a total cure. What else can be done?
Cheap UK and US VPS
From the formal side of things, I am new to information security. I have been doing applied security work for about three years. I would really like the challenge of writing a thesis, but so far I haven't come up with anything.
Here are my requirements: I want the topic to be challenging, I want it to be within the grasp of a Master's level understanding of information security, and I want it to be valuable to the community.
Are there any areas or topics that need to be addressed but have not? Is there something the community needs but has not yet received? If background info helps, I really enjoy picking apart IP traffic, and have some interest in fractals from a mathematic perspective.
Also, I'd like to say thanks for the links on your site. I now have tons more reading material.
Still, with a plan, you only get the best you can imagine. I'd always hoped for something better than that. -CP
If you make an "extended hash" by concatenating the SHA hash (160 bits) and MD5 (128 bits), you get a 288-bit hash. What is the actual cryptographic strength of this "extended hash"? 288 bits? 160? 128? Even less?
Have you ever forgotten an important password/passphrase?
I've had enough abrasive sigs. Kittens are cute and fuzzy.
They're called Neutron Bombs.
Honestly, as long as a system can be accessed by someone. It can be accessed by someone that shouldn't.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
Why not make stories have a ten or fifteen minute delay to allow people to actually READ the articles. Have a little timer that says how long until the story goes live for comments. This might take care of some of those who never read the articles.
Just a thought....
Thank you, Joshua
When in danger or in doubt, run in circles, scream and shout!
In your consulting capacity (and without naming names), have you ever run across a companies security implementation that was so bad, so insecure, so open to exploitation that you felt an overwhelming compulsion to shut down the servers, lock the doors and call in a security SWAT team? That you actually felt like going out and shorting the companies stock? That you had to hold back from whomping someone upside the head? That you inquired about having the head of security investigated to make sure he wasn't a black hat hacker/competitor's security spy/foreign agent? How bad was the worst implementation you've ever seen?
is being made towards the implementation and use of elliptic curve cryptography?
I have read a lot about it and it seems to be the direction public-key crypto is going nowadays. Have you done any serious work in this field? and if so, when do you think the public will start to see it implemented full force?
~ kjrose
What's your opinion on VPNs based on SSL/TLS, instead of those using protocols such as IPsec or PPTP?
Are SSL VPNs up to par? What are their strengths and weaknesses? Was SSL designed for such applications?
-------
Warning: Slashdot may contain traces of nuts.
The Internet was primarily designed for use by researchers who were collaborating on similar projects, and so security was not part of the design. Would you advocate designing and building another Internet where security was a major design goal? Or can we tweak the current Internet to reduce that amount of maliciousness that goes on now?
Sheesh, you're asking the wrong place. This deserves an entire "Ask Slashdot".
You or Bruce Schneier?
Along these lines, of your own personal communications and data storage, what do you encrypt and what do you leave unencrypted?
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
Are customers of cryptography aware that their security relies upon some unproven assumptions, and that a theoretical breakthrough could jeopardize all encrypted communication, past and present? In case this happens, are you taking steps to make sure that customers won't attempt to sue the person or group that designed the encryption they were using, or sue the person or group that broke it?
Do you think it's possible to make things like e-mail encryption and key management easy enough to make high security procedures widely used by mainstream PC users? I've long thought that this was a neglected area, and that the bar was set very high--security for that user group would have to be essentially zero effort and invisible.
The older versions of SSL has been very insecure.
How will the SSL team improve security in the new version of the SSL protocol?
Note to self: get smarter troll to guard door.
Paul, what do you think about Microsoft's Palladium initiative and Trusted Computing in general? Will it achieve its goals from the security perspective? Is it only for DRM or are there other ways that you could use it?
Will the advent of quantum computing render even current, state-of-the-art cryptography obsolete? Is there any way that cryptography can overcome the challenge presented by quantum computing? And how long will it be, if ever, until quantum computer's can break current, state-of-the-art cryptography?
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
What does a newbie do? Having been put in a position where I'm partly responsible for server security, and having been put in that position without the proper background (and the responsiblity is here to stay), how do I get my head straight on the core issues and make sure I'm not leaving the doors open for anyone to do whatever they want? Reading books/articles doesn't seem to be enough, but if that's the best place to begin, any recommendations?
There's much going on in the area of DRM these days. Microsoft/Intel are pushing for a secure nub and a trusted OS (Palladium). DirecTV's P3 is totally hacked and Echostar is open to EJTAG manipulation. The studios are pushing for stronger encryption for the next-generation DVD after CSS has been hacked.
What is your opinion about where DRM systems should go? How can we protect fair use and still get movies released in HD?
who is lester, and why do we care if he's alive?!
What contingency plans are you aware of? What sort of research is being done to avoid this single point of failure problem in future solutions? Are we just hoping for quantum encryption to save us? Of course, the real solution is to not depend solely on crypto for security, as crypto it self will never be perfect (implementation problems, etc). Security organizations, who haven't already, need to update their risk assessments to include risks to crypto solutions. It's still interesting to look at crypto in a more narrow scope than the real world :)
I am a student pursuing a bachelor's degree in Computational Mathematics.
What is the best way to go about finding a career in cryptography/cryptology?
How did you start in the field?
Is there a "job market" per se, or is it more of a position that one falls into?
One of the applications that is supposed to get a large boost from going from 32 to 64 bits is cryptography. Are you very excited about the move to 64 bits? Do you really think that it would make that much of a difference? Are there any downsides to going to 64 bit compuiting in cryptography (other than the time to port the software)?
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
If you don't know, the message was not meant for you...And any way, maybe it's double encrypted -
"Lester is alive never again" is afwul strange phrasing for a message...
It probably represents something else, code words of some sort or other...
The recent /. discussion of worms exploiting weak passwords got me thinking problems I have with consistently using strong passwords. I have heard many times that we should use strong passwords (mixed case, letters, symbols, no dictionary words in any language, no number patterns that others could derive, etc.), that we should not reuse passwords, that we should not write down passwords, but should always have them memorized.
Now, if I was on a handful of systems, this would make sense. However, I've found that many websites I come to are increasingly requiring registration, including creating a userid and password to log in to their systems. The personalization of my interface with their system is nice, but makes following the rules about passwords unmanageable -- I can't keep track of several dozen strong passwords from memory.
As an alternative to that, for website uses such as I've mentioned, it seems to me that making use of a public-key encryption system, something along the lines of what I understand SSL to do, would seem to make more sense. My system could exchange encrypted data with the web server using our known public keys, enabling us each to know that we are, in fact, who we claim to be. Even if I was required to use my pass-phrase that goes with that public key each time I logged in, it would be easier for me to remember that one pass-phrase (which could be even more secure than a 6-8 character password) than is currently available.
Obviously there would be change-over costs involved with this, but is there some big reason that this kind of a system would be less secure than the current system, particularly if we take into account the problem of weak and repeatedly used passwords?
Therefore, please post more redundant comments.
My wife and I each are forced to have several dozen usernames and passwords for various websites, programs, email accounts, accounts at work's computer systems, etc. It seems that each sys admin/org has a different policy for creating these accounts, so that we are unable to memorize a few possibilities and choose from among those. (sometimes usernames/passwords are assigned, sometimes they insist on having #s, sometimes capital letters, etc.)
My wife has several files and pieces of paper with all of her passwords written down. She has to keep these on 3 or 4 computers, in her wallet, in her hotmail account, etc.
How problematic is this? Can this ever be solved? How?
Can you present a brief argument that you believe should raise the interest level of the general public in the need for cryptography?
sig.
Just thought you'd like to know, ROT13 is outdated. There is a new protocol out to replace it as of a couple of days ago called ROT-13+.
In the long run, we're all dead.
The reason I'm asking is because there are a lot of great techies out there, but it's rather the geeks that seem to do most of the advocacy and who seem to be able best to stick to their guns and force their peers to use GPG, etc.
Also, I used the word "abuse" also. Do you think you've ever gone over the top with crypting everything, or have you ever used your knowledge to gain access to information that you should not have seen (however trivial), or have you ever been paid to crack something encrypted, won prizes, that sort of thing?
Conversion Rate Optimisation French / English consultant
Lester is alive never again?
Which algorithm / program do you use to protect your "top secret" files? And is there any commonly-used algorithm / program that you wouldn't trust to protect your shopping list?
RMN
~~~
heh
What are your thoughts on open source encryption?
How do you currently interface with various government agencies? What kind of pressure is put to bear, how do you see it evolving and are you able to answer these questions freely.
Help fight continental drift.
Can you tell us your password?
If brevity is the soul of wit, then how does one explain Twitter?
cipherst
often
read
rather
eccentrically
coun
the
many
years
for
really
interesting
encryption
never
deciphered...
Hey, is there a feasability problem with making the addition of TLS a socket option? For TCP/UDP/SCTP clients (connection/datagram initiators), it would be great to use a system-wide certificate store (perhaps in kernel space?), and just say "turn on TLS". This would make writing network clients with encrypted traffic a dream.
Granted, openssl's interface may be trivially more complex, but just the thought of managing yet another set of certificates makes me cringe.
All of cryptology is built on a group of cryptographic primitives. Block ciphers, hash functions, factoring problems, discrete log problems, etc. are all used to build higher order cryptographic structures, such MACs, encryption, and signature schemes. However, all of these primitives are not proven secure. How do you feel about cryptology being built on such a fragile foundation, essentially making it a house of cards?
To what extent to you use cryptography in everyday life? For instance, under what circumstances do you digitally sign or encrypt email? What information do you encrypt on your hard drive? How do you communicate securely with folks who aren't technically adept with current encryption tools? Are the tools at your disposal easy enough to use to keep up with your level of paranoia?
thanks.
Ok. I guess the mod missed the point that it was to be "humorous".
Ah well.
Thanks for letting us ask you these questions.
:)
Over the last couple of decades, cryptography has gone from being the domain of major governments, big business, and the odd hobbyist and researcher to being a massive public industry that anyone can (and does) participate in, with new algorithms published and new applications announced almost every week. Meanwhile, we learn of vulnerabilities in various implementations of cryptosystems much more frequently than we hear of people discovering fundamental flaws in the cryptosystems themselves.
Given these facts, do you think we need to change focus, turning to validating and "approving" implementations of cryptosystems (such as your own SSL 3.0) or should the emphasis of the "crypto community" continue to be innovation in fundamentals of cryptographic systems and new applications for them? How important is it to have someone verify that a cryptosystem is implemented well?
Thanks, and I'll take my answer off the air
I love vegetarians - some of my favorite foods are vegetarians.
are 3 feet from your door
... 1 ...
2
Can you recommend some good hardcore books, or journals to follow for what's going on currently in the crypto scientific community?
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
Mr. Kosher?
5 minutes of googling will tell you why IP over SSL/SSH makes for a SHITTY HACK ASS LINUX-STYLE VPN SOLUTION.
Cryptography is great, but it's only part of the solution. Seems to me that all cryptography and security measures are no more than "levels of deterence". If someone wants to gain access to your critical data, the easiest way is not going to be to break an algorithm, or try to guess a Key. Corporate espianoge and social engineering both play a huge role in the security of information. If you can dig through a trash can to find a password, or pose as a technician to gain a key to a system, why would you ever want to try to break the algorithm? How can you eliminate employees choosing passwords like 'secret', 'password', or '12345', especially when the company heads are not technical enough to enforce company policies. Afterall, just because someone pays you for your advice as a consultant, doesn't mean they'll take it. On the other end of the argument, you can't expect people to remember 16 8-bit hexidecimal numbers that are generated at random monthly, so how to do let them carry around their password in a secure fashion? Biometrics seems promising, but what if someone is able to copy your fingerprints? It's not like you can get a new finger... Any suggestions on this would be helpful... thanks!
In A.D. 2101
...."
War was beginning
Outside Ship - An explosion occurs.
Ship's Bridge
Captain: "What happen ?"
Mechanic: "Somebody set up us the bomb."
Close-Up of Excited Communications Officer
Operator: "We get signal."
Captain: "What !"
Ship's Bridge
Operator: "Main screen turn on."
(CATS appears)
Captain: "It's you !!"
Close up of CATS
CATS: "How are you gentlemen !!"
CATS: "All your base are belong to us."
CATS: "You are on the way to destruction."
Close up of captain & CATS
Captain: "What you say !!"
CATS: "You have no chance to survive make your time."
Ship's Bridge
CATS: "Ha ha ha ha
Close up of Forlorn Captain
Operator: "Captain !!"
Ship's Bridge (ZIGs on monitors)
Captain: "Take off every 'ZIG'!!"
Shows a ZIG pilot powering up
Captain: "You know what you doing."
Shows a ZIG moving into launch position
Captain: "Move 'ZIG'."
ZIGs on monitors, Bridge Explodes
Captain: "For great justice."
The ship explodes.
A lone ZIG zooms into view!
Just because I doubt myself does not mean I find your position compelling.
With recent developments, such as the capability to "store" photon states within a physical substance, and the progress in quantum NOT gates, there seems to be steady advancement towards quantum computing / quantum cryptography. What roles do you see quantum computing and quantum cryptography taking in changing the way cryptography is handled at present? What hurdles would have to be overcome in order to make these of practical use?
As an authority in the "private industry", I'm assuming you earn more money and get more public respect than someone working for the NSA. My question is, if it weren't for the secrecy and (probable) lower pay in the NSA or a similar agency, would you want to work for them? That is, if the recognition and material rewards were equal on both sides, which would you choose?
Ignoring errors in the several implementation, current encryption algorithms software provides everyone the chance to keep information secure as it is simply impractial to break the encryption in a reasonable amount of time and enough money provided. Nevertheless, I notice that the overall awareness about keeping information secret is pretty low (I'm too young to say that it has been higher some time). Anybody, who wants to get encrypted information simply attacks not the data itself but the people with legitimate access to this data. Sometimes, even this is not nescessary (I get unencrypted but highly confidential information (No Nigeria Spam!) almost daily due to a popular internet domain from my government with a simiar spelling. Those people are just guessing the email adress of their friends and sometimes they fail.)
So, my question is this:
Has cryptography to include the human factor itself into the calculation or is it still only about mathematics? Can you imagine a strong encryption system with a special focus on people with low awareness?
There has been a misnomer that I have witnessed in a few jobs as well as my current one. The misnomer is that if you are behind the firewall you are safe, so why can't we install X application like web shots etc? Currently this view is changing here, however, we get stiff resistance from the top as we try to make things more secure. The senior leadership wants to be the exception to the desktop policy rule regardless of explanation. How do you implement security on the desktop across the organization while not receiving the support of non IT background superiors?
What is the maximum effective strength of encryption? By this I mean, what is the best cipher strength that provides a good tradeoff between speed and security?
Encryption is good, but can be slow, so I'm just wondering.
What do you see as the appropriate role of government in the world of encryption? Also what type of influence does the US government have on encryption and security technology? For example, how do you think AES will play in the commercial world? Also, does NSA specifically have a significant impact on commercial security technology (not necessarily in the conspiratorial sense...)?
How does the future look to you? Good, bad, or so-so? You can interpret that any way you want: privacy, cryptographic technology, growth of the internet, information security, etc.
Wow, president of something that is actually called "Crytography Research"? That sounds awefully close to being a "certified cryptography researcher" and getting some DMCA exemptions. Have you ever thought about printing yourself a certificate to make it official?
Please moderate the above (and this comment of mine) down,
-- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz
However, I was not referring to the same kinds of VPNs the AC mentions. I understand why TCP over TCP is a bad idea.
I was thinking of these kinds of products:
-------
Warning: Slashdot may contain traces of nuts.
The abundance of Duplicates is really proof enough. And when they make a mistake they rarely go back and fix the story.
It seems like they are now sitting back and relaxing far too much. At any other commerical organisation they would have been fired.
What is really sad is that sometimes you get the feeling that they don't actually read the articles. The commentaries are often some sort of "joke", to make up for their lack of understanding.
The news is now often old as well and sometimes it is just plain untrue. The current setup won't survive if they try to charge for this sort of content. It is simply not of high enough quality.
How do you protect sensitive data?
Do you trust the current available algorithms enough to store your own data encrypted with them, or do you prefer to keep personal data 'offline'?
Oops. I forgot to post anonymously; /. undid my moderation. Just pretend that my comment never existed. Moderators: don't bother with either of my comments here.
How embarassing...
"We demand rigidly defined areas of doubt and uncertainty!" - Vroomfondel, H2G2
>Let's try this one more time, this time with feeling.
Does that mean I'm supposed to sing my question?
Please try not to ask questions that can be answered with a few minutes' worth of on-line research.
When did slashdot incorporate this standard? Me thinks the editors are starting to be embarrassed by their readership.
Clever, clever, clever... it took me quite a while to figure out the hidden message in that post... "piercing", my friend
At this point, most of us are using a variety of software packages, hardware appliances, and communications protocols to secure our computers, networks, and traffic. Needless to say, the list of potential tools we employ includes (but is not limited to) firewalls, IDSes, mandatory access control schemes, PKI, SSL, "personal" cryptography systems (e.g., GPG/PGP), IPv6/IPsec, and VPNs.
In your opinion, over time, how will these disparate features and systems consolidate? Where are the logical points of consolidation? What might our security toolsets look like in five years?
VIA's web site says that you are testing their hardware RNG, and "preliminary results show high-quality output".
So... how does it work? I know Intel's chipsets count cycles of a high-speed (~300 MHz) clock between cycles of a low-speed VCO controlled by resistor noise.
Did they repeat Intel's mistake implementing hardware whitening, or is it feasable to implement on-like quality checks by testing to see if the deviation from randomness is as expected?
What's the software interface?
Slashcode didn't throw up a warning like "you've already moderated in this thread - it will be lost if you post to it" or something? Sounds like an improvement could be made here. I know the instructions tell you this will happen, but obviously accidents do happen; while repeated "are you sure?" messages tend to get annoying as software tries to protect people from themselves, the warning could be disabled in one's profile...
"Time is an abstract concept devised by carbon-based lifeforms to monitor their ongoing decay." - Thundercleese
I have heard from everyone with any real experence in cryptography that of all the areas of computing, cryptography is the one best left to the experts. What most programmers (including myself) might think of as a very secure encryption, when analysied by the experts, turns out to be as transparent as ROT13.
On the other hand no where is the Open Source Modle more touted as the panacea of computing then in cryptography. Many eyes it is said will catch backdoors and reveil poor implimentations before they become security issues.
My question then: When developing and implementing encryption, How would you weigh the need for experties with the trust and scrutiny availible from Open Source development?
Strive to make your client happy, not necessarly give them what they ask for
Paul,
First of all, thank you for agreeing to be interviewed here. It's greatly appreciated.
I'm curious if you wouldn't mind elaborating a bit on the catastrophic failure of the SSL security architecture given the compromise of an RSA private key. An attacker can literally sniff all traffic for a year, break in once to steal the key, then continue to passively decrypt not only all of last year's traffic but all of next year's too. And if he'd like to partake in more active attacks -- session hijacking, malicious data insertion, etc. -- that's fine too.
In short, why? After so much work was done to come up with a secure per-session master secret, what caused the asymmetric component to be left so vulnerable? Yes, PGP's just as vulnerable to this failure mode, but PGP doesn't have the advantage of a live socket to the other host.
More importantly, what can be done for those nervous about this shortcoming in an otherwise laudable architecture? I looked at the DSA modes, but nothing seems to accelerate them (which kills its viability for the sites who would need it most). Ephemeral RSA seemed interesting, but according to Rescola's documentation it only supports a maximum of 512 bits for the per-session asymmetric key -- insufficient. If Verisign would sign a newly generated key each day, that'd work -- but then, you'd probably need to sign over part of your company to afford the service. Would it even be possible for them to sign one long term key, tied to a single fully qualified domain name, that could then sign any number of ephemeral or near-ephemeral short term keys within the timeframe allotted in the long term cert?
Thanks again for any insight on the matter you may be able to provide!
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
There are several questions posted here regarding the government's (USA and others) ability to crack what is publically considered to be good encryption. I hope you answer one of them.
James Bamford's books on the NSA tell us that government security agencies have a long and documented history of obtaining back doors (political engineering?) or outright cracking codes. I remember a very public government effort several years ago to lobby for backdoors ("clipper chip" and others), an effort that seems to have stopped and which worries me because I am left to assume that they have their solutions. Someone else here has asked if your company has ever been approached for backdoors to your products.
In summary, as we use PGP, SSL, and other commonly available and easy-to-use tools, how secure are we from the one organization that we know of, our government, that has the resources and the mission to pry into private "secured" communications?
as a software engineer building open source p2p applications (gnutella), we are faced with a huge problem: how do we establish trust in a open environment where any application that speaks the protocol can participate? we've thought of various cryptographic systems to establish trust, but they have several fatal flaws - they require some sort of centralization (a no-no in a p2p environent), they lock out 'untrusted' vendors, etc.
what can we do to maintain an open environment and establish trust between peers?
smd4985
However, all of these primitives are not proven secure. How do you feel about cryptology being built on such a fragile foundation, essentially making it a house of cards?
Are you aware how amusing it is that you posted this question over a connection based on IP primitives?
Best Post Ever
First, it's not well-known that the NSA is years ahead of the pack. That's purely speculation. The NSA says so little about how much they know that anyone who says "they're years ahead" just shows they don't know what they're talking about.
In the '70s, '80s, and on up into the '90s, the NSA was certainly ahead of the civilian cryptanalytic community. DES, for instance, had its S-boxes strengthened against differential cryptanalysis in the '70s--about a decade and a half before the civilian cryptanalytic community discovered differential cryptanalysis.
But recently, there've been tantalizing signs the NSA is not as far ahead as people once thought. The civilian cryptanalytic community has grown tremendously in just the last ten years, and the quality of scholarship is the best we've seen since Turing and Shannon established the field. The civilian cryptanalytic community is now breaking NSA designs.
For instance: the NSA submitted a pretty cool cipher mode (Dual Counter Mode) for use with AES. People were looking forward to the opportunity to beat on an NSA design--and lo and behold, Dual Counter Mode was broken within a matter of weeks. The cryptoparanoids out there will say the NSA intentionally put out a weak mode in order to fool their enemies into underestimating their talents, but--really. Occam's Razor applies to the NSA as much as it applies to anyone else. The simpler explanation is that the NSA got egg on their face, just like everyone else has had. If you're going to be active in the crypto community, you're going to get your fair share of brain-os. Bruce Schneier presented MacGuffin at one conference only to have his brainchild be broken before the conference ended. If something like that can happen to Bruce, why should the NSA be immune?
The really fascinating NSA braino is, undoubtedly, SKIPJACK, the cipher which was going to be the heart of the Clipper Chip. It had a very solid design and 32 rounds. 32 rounds is a lot of rounds--the idea the NSA would make a 32-round cipher struck a lot of people as evidence that the NSA was being extremely conservative.
Eli Biham took a look at the SKIPJACK design and, pretty much on a mental lark, decided to play around with some numbers. Before SKIPJACK had been published a month, Biham had invented an entirely new differential cryptanalysis scheme--"impossible differential cryptanalysis"--and had used it to break 31 of SKIPJACK's 32 rounds.
Remember: SKIPJACK was the NSA's effort at making a safe, strong cipher. They swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors, and they allowed a small number of outside experts (incl. Dorothy Denning, who's a crypto luminary) to review major portions of the classified cipher.
So either you've got to believe the NSA lied to Congress, deliberately deceived Denning, and that Denning wasn't smart enough to know she was being deceived... or you can believe the civilian cryptanalytic community is getting good enough to challenge the NSA on the NSA's own terms.
Anyway. Come to your own beliefs as to how far ahead the NSA is of the civilian cryptanalytic community. I think the answer is "not very", but reasonable people will certainly disagree on these things.
What impact would a factoring algorhitm which reduced prime factoring to a non exponential problem have on the encryption industry in general?
How is the market for cryptography consulting right now? Do you have many clients? What do they typically want or need?
What would you recommend for somebody wishing to enter the field? (other than stay away from your turf:-)
Thanks.
Are you disappointed that the use of public key client authentication in SSL/TLS is not more widespread? Do you forsee a time that it will be more widely adopted?
Has any of your work been impacted or covered up by the USPTO's ability to declare a patent a secret? Were you compensated for the loss? How do feel about the confiscation both personally and in general?
-- If you cast your bread on the water, sometimes it comes back angel food cake.
*sigh* I really wish people wouldn't mod up questions which can be adequately answered with a quick Google search. That said--please mod the parent down, since it's not worth Paul's time. But I'm not going to leave the poster emptyhanded, either.
0 00 0000000
... joules of power.
... joules of power.
In order to flip a bit requires a thermodynamic minimum of 4.4 * 10**-26 joules of energy. (Ignore the time/power theoretical tradeoff and energyless reversible computing, please: those are still purely theoretical, and we have no computers which can do it. For that matter, we have no computers which can approach the thermodynamic minimum, but let's give the NSA some credit.)
That means it requires a minimum of 1.1 * 10**-23 joules of power to store a 256-bit AES key. Let's assume you have some kind of truly bizarre key cracker that can do an energyless rekey and key trial: all you have to do is have 1.1 * 10**-23 joules of power for each key you want to test. That's the thermodynamic minimum energy you need just to store the key.
To break a 256-bit key by brute force requires, on average, 2**255 operations. Multiply 1.1 * 10**-23 joules of power by 2**255, and you get 6.5 * 10**53 joules of power.
Let me repeat this.
It requires
65000000000000000000000000000000000000000000000
By comparison, the Sun's annual power output is in the realm of 1.2 * 10**34 joules.
Or
120000000000000000000000000000000000
Are you beginning to see why it's such a silly question to ask whether or not modern ciphers can be brute-forced with Crays?
Please. Use Google before asking questions.
iQEVAwUBPYveyKPnLvqdzV/hAQGykQgAkUQuCoorVhoTjQwtZv FsDQiB+SKEC0ff0 cnt6rBp13DDw+QMv NntepNtQKNt/riU QuCoorVhoTjQwtZv FsDQiB+SKEC0ff0 cnt6rBp13DDw+QMv NntepNtQKNt/riv AQQHYnYaOSkULMXn V0UzVc5wz9N723X cAePFZbpbxwRIZXS NNPvUqkrLCK0mXv AQQHYnYaOSkULMXn V0UzVc5wz9N723s R52pYdNBlPem3llR d01ODgzZxM2byCU QuCoorVhoTjQwtZv FsDQiB+SKEC0ff0 cnt6rBp13DDw+QMv NntepNtQKNt/riv AQQHYnYaOSkULMXn V0UzVc5wz9N723X cAePFZbpbxwRIZXS NNPvUqkrLCK0mXs R52pYdNBlPem3llR d01ODgzZxM2byCX cAePFZbpbxwRIZXS NNPvUqkrLCK0mXs R52pYdNBlPem3llR d01ODgzZxM2byCU QuCoorVhoTjQwtZv FsDQiB+SKEC0ff /RRLQ5p444SQXP3EEkrz8NipQP0Y3XIQ00cnt6rBp13DDw+QMv NntepNtQKNt/riv AQQHYnYaOSkULMXn V0UzVc5wz9N723X cAePFZbpbxwRIZXS NNPvUqkrLCK0mXs R52pYdNBlPem3llR d01ODgzZxM2byC ?
DiQ/RRLQ5pSQXP3EEkrz8NipQP0Y3XIQ0
iQEVAwUBPYveyKPnLvqdzV/hAQGykQgAk
DiQ/RRLQ5pSQXP3EEkrz8NipQP0Y3XIQ0
lEDT8NxEjbJf/YGuUVOMRrTUIui1IjsAx
t1XjhoeCGERgXGRERGreGrMInnFgBHQxt
lEDT8NxEjbJf/YGuUVOMRrTUIui1IjsAx
7HukYRfuXk5CKi9Ak/1uPstve0pOzZI5L
iQEVAwUBPYveyKPnLvqdzV/hAQGykQgAk
DiQ/RRLQ5pSQXP3EEkrz8NipQP0Y3XIQ0
lEDT8NxEjbJf/YGuUVOMRrTUIui1IjsAx
QdzqVxhy6XoaFodWt1XjhoMInnFgBHQxt
5CrevegERGCeKi9Ak/1uPstve0pOzZI5L
QdzqVxhy6XoaFodWt1XjhoMInnFgBHQxt
HukYRfu3Xk5CKi9Ak/1uPstve0pOzZI5L
QEVAwUB4PYveyKPnLvqdzV/hAQGykQgAk
lEDT8NxEjbJf/YGuUVOMRrTUIui1IjsAx
QdzqVxhy6XoaFodWt1XjhoMInnFgBHQxt
5CKi9Ak6u56ytrhvt/1uPstve0pOzZI5L
Have you been living in a cave on the dark side of the Moon for the last few years, to not know about Internet 2?
Grid Computing seems to be a technology that has the potential to host brute force decryption efforts. Aside from bigger and bigger keys are there any other crypto techiqures or research underway to defeat grid computing? Also, what does this mean for desktop cryptography?
"The only way to catch tiger cubs is to go into the tiger's den."
Kathleen Fent shares Taco's love of hentai!
What is the next paradigm for the business computing environment? Will it take the broad distribution of cryptographic coprocessors and 'trusted operating environments' before the average corporate user begins using cryptography... but basically only cause the admin set it as the default behaviour? Or will there be a new focus on pure research to find better algorithms and ways to crack them? Will the average desktop going to 64-bit addressing help in distributed brute force attacks? What does your magic 8-ball say? Mine seems to be stuck on 'Don't Count On It'
Fnord.sig
As soon as we see patents expire on curves, then I imagine we'll see ECC take off. ECC's been around for over a decade now and has enough cryptanalysis done of it to give a lot of people confidence in it as a security measure, but the Certicom patents are just killing it, deploymentwise.
Any proof of security for the majority of crypto primitives would lead to a proof that P=NP. I don't feel at all bad about crypto being built on this hypothesis: I think P!=NP, and I suspect it cannot be proven.
All we can do is build the best things we can today with the best tools and knowledge we have today. If we wait until the P=NP? question is resolved until we build crypto, our problems are going to be orders of magnitude worse than if we build things now and later discover P=NP.
When we talk about crpytography, people go around saying that one method is stronger than another, however, I haven't seen quantifiable measures of strength presented. What (if any) strength measurements do security analysts use and how are
these measurements computed?
do people make fun of you for having a cock in your last name?
How important is the website/the information that you give to them?
Adjust strength of password to match. Weather.com and its ilk probably do not require a strong passwords...
Nerd rage is the funniest rage.
"Let's try this one more time, this time with feeling."
Maybe instead you should "try this one more time, this time with thinking".
How difficult is it to implement very secure algorithms for the common developer with little experience in implementing security. As innovations in making more complex algorithms comes into play, what types of innovatoins are being done for implementing these algorithms? Could the lack of understanding how to implement these algorithms be in itself a reason for lack security in applications / processes?
Hi!
Thank you for letting us ask all these questions.
If you would recomend using crypto in PDA:s, cellphones etc that are dependent on battery power, and you want to be as secure as on your desktop where SSH and SSL is used, what crypto would you use for different applications such as webbservice, mail, telnet and VoiceIP? Are there any cryptoalgorithms that are much less computing intensive but still keep a high crypto profile?
Luck is opportunity meets preparation, lets get lucky
for what its is worth Mozilla has an option to encrypt the passwords that you have stored with the browser. When I go to a site that requires info, a box pops up asking for my encryption password.
A key to get the key, as it were.
CPU: Handprint Identification Please...
CPU: Handprint Identification Please...
CPU: Handprint Identification Please...
[Lone Starr uses unconscious guard's hand]
Lone Starr: (taps guard's helmet) Thanks!
As cryptography becomes more complicated, the majority of people (including many advanced programmers and mathmaticians) are coming to rely on a relativly small set of experts to guarantee the correct and secure operation of many cryptography systems (such as SSL). Even give an open-source solution very few people could ever audit it fully and be confidant.
My question is, do you forsee that problem increasing? - are cryptography systems becoming so complicated that the world will become dependent on a handful of people?
The computer work is evolving with everyday emerging techs. The number of computer eng.'s is in an exponential increase, and enterprises are releasing enterprise software every now and then, that carry very critical data. What is the status of the average user, depending on these tech.'s for his daily life, the more techs and engineers we have, more attacks are expected to occur.
We should put in mind that security technology havent had a seroius breakthrough in the past few years, so are the bad guy eng.'s going to have all the fun, or are there going to be new protective ways and methods?
The lunatic is in my head
In your opinion, how well would current crypto standards (SSL for example) stand up against a cryptnalysis attack using quantum computer(s) (if/when ever available).
I normally hate the cliche of "thinking outside of the box", but here it is fully appropriate.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
Your thinking is as almost always somewhat flawed. Saying a cypher has no backdoors and saying it is not breakable are two entirely different things.
In addition, your examples are of NSA cyphers containing only those techniques that they LEGALY can share with the civilian world. Strong crypto is concidered exactly the same as the crytical design information of nuclear weapons. This puts increadible constraints on what the NSA can release.
Therefore your whole post is invalid. And everyone who modded you up either a buddy, or is as much an idiot as you are.
One final point. I was a military crypto specialist during the 80's. The techniques used then for tactical crypto ( cypher able to withstand attack for three days), which is the weakest classification, are just now, 20 YEARS later, appearing in civilian systems. After leaving the military, I worked 10 years for a large government contractor. We built communication systems for the military and NASA. The civilian world is not even close. Currently, I work in digital comms so I have a good idea of what is around the corner as far as civilian comms security is concerned.
To be fair, the civilian enviroment places limitations on what can be done. Limitations that the NSA either does'nt have or can bypass. The simplist I can think of, that everyone should know, is key delivery.
As a side note, after scanning your posts, I noticed a curious thing. The mod points where way to high for the caliber of your posts. In some cases they were way out of proportion to the modding of other posts in the same thread. My conclusion is that you are trading blow jobs for mod points. I bet you've got the whole dorm in on the deal. Must be a happy dorm!
Ehm this why stuff such as tinc exists. It uses udp see this Did I mention it uses openssl for its ciphers?
Question for Paul Kocher:
How long do you predict it will be before quantum computers are a reality?
There may not be "secret patents", but there are patent secrecy orders. See this page.
Update: 03/13 18:18 GMT by M: Let's try this one more time, this time with feeling.
Huh? What happened? Did the comments get erased because everyone had lame posts, or what? I'M CONFUSED!!!
NSA did not lie to Congress when it said that Skipjack was secure. Skipjack is secure, and there are no known attacks on it that are faster than brute force search of the key space. Biham's attack is only on a crippled version of Skipjack, and might well have been known to the NSA all along.
Given a generic small business with less than fifty employees less than $10,000 in capitol with which to work wonders, what types of equipment, servers, operating systems, security measures, privacy, and safe guards can be implemented free, low cost, or at least market comparable?
This question is sort of a loaded one. Considering that for around $10,000 you can purchase at least one server and get all the open source software you want to run your business. Especially if you wanted to take the time to go to classes and seminars to learn more.
However, since cryptographic software such as PGP, OpenSSL, and OpenSSH were designed to be "free" so that EVERYONE can use them, how does one go about teaching the technically inept, the technically impaired, the technically unaware how to use them. Obviously there is a small part involved with them wanting to learn.
But if my grandmother wanted to open a buisness, such as a restaurant, and install a web server and mail server, and allow secure online transactions for a select few customers, what shoudl I tell her regarding her options?
I can set up a server utilizing various functions for her needs but when it comes to something more than installing and configuring OpenSS* and PGP I know next to nothing. I would think many people in the Open community are the same. They know what exists and how to implement it but know nothing beyond that. And considering that I've read probably 10 or 12 papers and books on the subject and can code a little I still cannot say for sure that what I am using is the best in practice.
My solution to this was a tiered-priority scheme. I have a "strong" password that I use for anything linked to my credit card, a different strong password that i use for anything on my intranet, and a "weak" password that i use for things i don't really care too much about, like forum registrations and community websites that aren't linked to anything relevant.
There are dozens of places i need to use a password, but i don't see a real reason to use a different one for each site.
As I recall the patent office's ability to declare a patent secret is predicated on the belief that general availibility of the patented invention would be a danger to national security.
Taking something to improve "National Security" is certainly a "public use", while keeping you from licensing your invention for all the traffic will bear is most definitely a "taking".
So "just compensation" in this case would be the maximum expected royalties if paid at the time the royalties would be paid, or the same amount plus interest if paid later.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
So I opened an emacs window to decode your message and then started to play around. I started typing stream of conscious stuff. I have discovered that the rot13 of cunt is phag.
Tee hee.
The big difference between what the NSA have done and what the world of commerce needs and does is rather different. They really missed out on public-key cryptography, although it was arguably ffirst develped by GCHQ (the British variant of the NSA), it's significance was ignored.
The NSA are great cryptographers, as are GCHQ and whatever their equivalents are around the world. Unfortunately the cloak of secrecy hampers the rapid progress that can be made outside. Can the NSA get Russian mathematicians to look at their algorithms? I don't think so.
OTOH, if you have a good idea in the open you can post to sci.crypt and have it shot down by some of the best cryptographers in the world.
She's now the executive in charge of computer security throughout the entire company.
:)
Oh god! This so blows away anything I've ever seen that it warms my heart. Hope the current job is better rjh
"One man can change the world with a bullet in the right place."
- Mick Travis, "If..."
Is there a way to protect your applications (hardware or software) against timing and differential power attacks?
Constant-time or Constant-energy mathematical libraries are mostly impossible to build, and if they are, they need to much computing ressources, random noise generators (hardware/software) can be (according to the theory of Shannon) counter attacked, as well as needless random loops.
Therefore, how can you protect a software/hardware implementation from these attacks?
The whols SSL thing is based around certificates. We have seen problems with certificate handling, and certainly with the user acceptance of certificates. I prefer the "Web-of-Trust" method of PGP where certificates may be multiply signed and you may indicate your own trust in the certification authority.
Good one!
I work as an information security consultant, and I often hear folks telling me that PKI is dead, and
that I should remove PKI from my consultancy and teaching because it is a dinosaur technology.
Since you are an architect of SSL 3.0, I would like to hear your take on whether or not PKI
is dead--and/or if SSL is the only reason PKI is still alive.
Check out our infosecurity industry blog: http://securitymusings.com/
I have tried to implement an SSL client with both OpenSSL and Microsoft security SDK. Have you tried using Microsofts Security SDK? Basically MS has a small footprint (since all components come with Windows) whereas OpenSSL means you install an extra 1 meg with your software. Do you have any reason not to use Microsoft Security SDK?
I have tried without success to find documented evidence of how a successful smart brute-force cryptographic attack has been done in real world circumstances. What approaches are commonly used? How does an attacker know if they have succeeded if the encrypted file/packet does not contain known data?
Perhaps these questions can lead to algorithms that are significantly stronger, perhaps even against alternate cracking methods like quantum computers.
As OneTimePad with a perfect PRBS (PseudoRandomBinarySequence) generator is mathematically unbreakable (with minimised redundancy and no checksum etc), why not use this instead of DES and all the weaker Asymmetric technologies?
The reasons quoted (for not using OTP) are always key distribution problems, and yet we routinely get sent periodically Credit Cards and Checkbooks. (this could just as easily be a 'book' of OTPs on a CompactFlash card.
Personally in addition to OTP, I'd spray randomly and using random inversions, the data into a larger packet (to counter weaknesses in the PRBS) and also perhaps send dummy packets to. The only way for verification (like checksums) to work, is to send data at least twice before it is trusted, using different OTPs.
It seems to me the whole trust based on asymmetric signed certificate is flawed since too much trust is put in a common root certificate which must be shared across millions of clients for a long time. And if it's cracked, how do you deploy new certs? Nightmare. (I've been in this situation with Lotus Notes common root certificate - it really isn't fun). My idea puts no trust in any certificate beyond the current message. Pads are deleted either end (the server has copies of all pads for all users). If the end user thinks his compact flash is compromised, all pads are deleted either end, fresh ones made (shipped by UPS or whatever in a CompactFlash) and trust is instantly re-established.
If the server is cracked, this is no worse than the situation for Asymmetric Keys.
With a perfect PRBS generator. However, there are far fewer solutions for Asymmetric keys. You also state 'Joules' to store a bit. Over what period are you considering this? Since a few transistors on a chip will consume a given amount of energy per second, you must integrate wrt time in order to get a total amount of 'work'. Therefore you must have a time period in mind (for the storage or each key combination), which you should state in your brute force calculation.
It seems that the primary problem with cryptography is sociology, not mathematics. I spent about two weeks signing messages before co-workers complained that it made mail more difficult to read. A talk I gave last year on the importance in securing reseach data was attended by a total of 3 people. What do you see as the biggest barriers to adoption of digital signatures?
Does it hurt? Do they like fellatio? Do they like anal sex as much as you do?
To pre-answer any questions about how does partyA trust partyB, the answer is both trust each other by secret exchange through the Key Maintainer. In this case, the Organisation that issues CompactFlash cards full of OTPs (ie Checkbooks in man-in-street-speak) to partyA and partyB.
Both contact Key Maintainer to exchange secrets. Secrets are distributed, then maybe smaller OTP used direct partyA to partyB, or maybe a traffic through KeyMaintainer.
How many different 256-bit keys are there? About 10**77.
How many different 512-bit primes are there? About 10**151.
If anything, the likelihood of cracking an asymmetric key by brute force are worse.
Insofar as power, learn what the concept of a thermodynamic limitation is. The thermodynamic limitation is given in terms of joules of energy (actually, it's kT, where k is the Boltzmann Constant and T is the ambient temperature the computer is running at). Once you set the bit, there's no thermodynamic requirement that you continue to supply energy to the circuit.
(Technically, thermodynamics allows you to set bits without expending energy... it's clearing a bit which requires it. Still, that's a pretty trivial detail.)
IOW, there's nothing preventing you from breaking it instantaneously, provided you can deliver all that energy instantaneously. And there's nothing preventing you from taking 10**100 years (barring, perhaps, proton decay and the ultimate state of the universe) if you want to deliver that energy slowly.
The time period doesn't matter. The total energy required is what matters.
1. I've never heard ANYONE claim that Asymmetric Key is harder to break than Symmetric key of same length. Can you provide a reference (obviously all the books I've read on the subject are wrong, as is my view of the axiomatic).
2. In star trek maybe you can store bits and them take no power, however, in reality a bit in a ram chip takes a constant stream of energy to keep stored. Same thing goes for stuff stored on magnetic form (eg hard disks) since the domain degrades and needs to be re-written, plus fairly low MTBF on drives means you really want a RAID5 which takes energy to run.
I've never heard ANYONE claim that Asymmetric Key is harder to break than Symmetric key of same length. Can you provide a reference (obviously all the books I've read on the subject are wrong, as is my view of the axiomatic).
Proofs of security would necessarily involve a proof that P != NP. But, for instance, look at the Rabin public-key system, which is provably as difficult as factoring. Factoring is, as near as anyone in the field can tell, an NP problem. (It may have been proven NP, in fact--I'm not quite sure.) In that case, Rabin is provably as secure as any other NP cryptographic system. Please check the Handbook of Applied Cryptography.
In star trek maybe you can store bits and them take no power
The advantage of speculating Star Trek levels of technology is that even in Star Trek the Second Law of Thermodynamics has to be obeyed. If you can prove, beyond a shadow of a doubt, that the laws of thermodynamics prohibit something from happening, that makes all claims of "yes, but you're overlooking the practical concerns, too" absolutely moot.
If it doesn't work in theory, it can't work in practice and all further discussion is a fool's errand.
The theory of brute-forcing 256-bit ciphers, or symmetric crypto, is completely barking mad. As such, I don't need to worry about practical concerns. I've already proven the theory beneath it is unsound.
S/MIME and PGP for email encryption have been around but have not really taken off. What can be done to make a scheme that will allow everyone to use signed and encrypted email. I'll assume this means no extra effort or cost for the end users but I would be interested in hearing what you thing the requirements are for secure email to be widely deployed and possible solutions.
Thanks, Cullen
mQGiBDzjU/wRBAD4Mj829gRDO3OVzG7AKB0tQsjYouFz9Nl
M0FdLg3IZQDh8e14+JDNLsPzZYcY6qXdT
Hacs1LDKUM1caEdWaLDJNdWamfTkix4ivH1dZ/70aPKAw1q
bQiYjSMiUAm12MNrU97wZ98D+gIm6Z0FN
UnVzdGFkLCBKci4gPHNjdWJhY3VkYUBpbmFtZS5jb20+iQB
CAsDCQgHAgEKAhkBBRsDAAAAAAoJEOo/7
i8RFaDb2AKCP9lVz9c7rXDOhj9mp+ivDW
orrWqULzBej5UxE5T7bxbrlLOCDaAadWo
ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSW
sxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040
EY18hKcKctaGxAMZyAcpesqVDNmWn6vQC
XsNV6TILOwACAgf/XygKvCbN9s7NqClio
75Zw1jSESFW68ZyWWk64WETYLXIRk59CM
yhVkRcNGjEVs2xj4zEyxfUkpv+qoG/0Ou
JD1OjKC02NmT0HwAO/JEbzwErB3Q8AY61
gB3xt91flDgKLuSD99WCVLAdzU0vtKi03
6s6/287HnedMqYqEYlfGfVgCUTksRT2CA
AAAKCRDqP+7M5ESyhyILAJ92Bz5rr+/7h
UnxssPXUzG36NTI=
=o4A1
ZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuqui
XsNV6TILOwACAgf/XygKvCbN9s7NqClio2ROtTN98u2RCTL4
75Zw1jSESFW68ZyWWk64WET
Paul, in past 10 years the world has changed a lot. Who would have thought in 1993 today's e-commerce sites like Ebay.com or Amazon.com and all the other cool things we can do with the Web? SSL has been a big and influental part of that change. Without security some of these things would not have proceeded so quickly.
What is your prediction for 2013? What role will cryptogaphy and security play in 10 years from now? What developments that are cooking in labs today will be the "next big thing" ?
I have been doing an undergraduate (i'm not saying I know a lot about it!! ^_^) reading course on quantum computing and an interesting topic that came up is the ability to encode qubits that could potentially be unencryptable. I'm also interested in Shor's algorithm, and the ability of fast factorization of large numbers by quantum computers.
Anyway, I was wondering if you are researching quantum computing and what your thoughts are on this subject.
Thanks! =)
in girum imus nocte et consumimur igni
As you probably know, many virus release ("political") statements in their code. (Notice, I put it in quotes...I use that term lightly in the following examples)
My question is:
Could you justify a virus/worm given the quality of the political statement that the writer(s) make?
Let's say that someone releases a worm that rips apart the very heart of the Internet, effectively bringing the world to a screeching halt. If comments in the code are serious enough to make us reconsider something horrible (say attacking some innocent country for the sake of argument), it seems entirely reasonable that this could (theoretically) be a legit form of protest.
What do other slashdotters think?
(I started thinking about this after I posted a Wired article on Grep Law)
It is up to the government to decide if you get a patent. If they decline the patent, they aren't "taking" anything. Without a patent, you won't get much from royalties. Under the interstate commerce clause, the government can place a 100% revenue tax on the license, effectively making it worthless. It just doesn't make sense to treat patents and licenses as property, especially with respect to emanant domain.
On the other hand, secrecy orders violate the first amendment. If the patent office doesn't want anyone to challenge the law on first amendment grounds, they had best offer generous compensation.
So a few hours after this "Ask Slashdot" was posted, there was a Slashdot Articleabout Brumley and Boneh's timing attack on OpenSSL. Does it look practical to you, and does it look like there are practical workarounds?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
A famous timing attack (page 11) was found on the TENEX system back in the early 70's. The auditors noticed the system behaved differently with a partially correct password than it did with a completely wrong password. They looked for a way to exploit those differences, and found one (I wasn't around back them, but I suspect paging was a selling point of TENEX, making the auditors well aware of it).
If you want ideas on how to do something, the first place to look is the history books.
That would have been modded up if you had posted a link (page 157). However, the parent post specifically said that it was ignoring reversible computing, as no such computer exists.
You implied that NSA was wrong when it said that Skipjack was a secure cipher. Actually, it was a true statement because no weakness in Skipjack has ever been found. The attack on a 31-round variant of Skipjack is of only academic interest and not the slightest bit embarrassing to the NSA. It shows Skipjack to be very well engineered. You seem to be suffering from some fundamental misconception about cryptology.
Why are there so many variants of crypto key formats?
Not only the PKCS series, but also the various encoding methods. And clearly these are inadequate for everyone, so we get PGP formats, SSH/OpenSSH/PuTTY formats, etc.
If there had been a much smaller, more universal set of key formats, interoperable crypto would have been far easier.
On my paranoid days, I begin to suspect the TLA agencies on the standards committees deliberately introduced complexity to limit take-up.
Late posting moderation multiplier=2
Andrew Yeomans
Julian.
What do you think of managing DRM and security through crypto-security co-processors like the offering from Wave Systems, Microsoft, Intel, etc.?
What's up with the D-H support in OpenSSL?
If I'm not too worried about MITM attacks, is it possible to make apache and other applications work without all that certificate stuff using D-H?
What do you guys (including Paul Kocher) think about the government and companies being against crypto for one reason or another?
At least that's what I thought.
Asymmetric keys are far weaker that symmetric keys. Typically people use asymmetric keys because they think distribution of quantities of OTP symmetric keys is hard. This is no harder than your bank sending out a smart card instead of your credit card. Indeed by putting a CPU on the smartcard, security of the platform would not compromise the table of keys either.
I think far too much trust is put in Organisational root certifiers, and instead all keys should be instantly discardable, and trust established via a connection to a TrustProvider. (both parties connect to the trust provider, and exchange a secret through the TrustProvider, this can be a Bank, Your organisation server, or on a peer to peer basis. If it seems like anything has been compromised, you can quickly dump all keys, re-issue new ones, and trust is re-established. If you rely on less hard-to-break keys, and use them widely across numerous clients, it is very hard to issue a new org root certificate. If your org root certifier for example, in a Lotus Notes system (many countries, many servers) is compromised, then it is extremely hard to re-establish trust.
Re: ease of cracking asymmetric keys. Because so few values in the solution space are possible solutions, they are relatively easy to crack as you only have to brute force the possible solutions, not all possible values. Indeed, custom chips are made by the US government in the basement of the giant NSA building that crack 5000 per second. Imagine a 19 inch rack full of 200 of these, 6 foot tall times a few. You could crack millions per second. However, a terrorist using a dice and a piece of paper and pencil could defeat this asymmetric-key-breaking technology (OTP symmetric key). [so who are we kidding].
Guess a number from 0..2^512-1. With probability 1/10E151 you hit the correct number. The probability is non-zero! So, you *might* spend the lifetime of the universe times bazillion, or you *might* not. Shannon defined information and entropy. What would "luck" be in similar terms...?
DES has always been slights tainted by the suggestion that in the 1970's the NSA instructed IBM to change some aspects ofthe algorithm and did not give a reason why. There was always som suspicionthat the NSA has some backdoor to DES which makes it easi(er) for them to crack it but not for anyone else. However later it turned out that they knew about differential crypto, but did not wish to release the details for fear of weakening some other systems.
Unfortunately, the suspicion still lingers, and the NSA being the NSA and a top secret governemnt agency, the suspicion will probably always linger.
Now DES's successor has finally been blessed by the NSA with an open competition, and the winner is a Belgian algorithm (and the runner-up, Serpent, a British one).
Now my question is, is there any suggestions of any impropriety, reasonably or not, of NSA interference in the selection process of the AES candidates? Or can we commoners actually trust the thing without fear that the US Government are reading everything behind our back? I do not know much about the selection process itself, btw.
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
Router vendors are in a unique position to eliminate spoofing, and thereby eliminate the most serious DDOS attacks. All you need is the next version of the firmware in edge routers to have egress filtering enabled by
default.
Within a year there would be so few networks that supported spoofing that it would be a forgotten problem.
Sure, this will increase the required CPU speed and cost of manufacture for CISCO and mostly for backbone providers. And, yeah, this is exactly why they don't do it.
But a minor increase in cost (5-10%) is absolutely no excuse for allowing massive uncontrolled and random outages.
One way, or another, the internet community should pressure them to make this change.