in fact because of this [key scheduling] weakness, AES-256 may be even less secure than AES-192
No attack that I know makes AES-256 weaker than AES-192, or anything close to that (unless some rounds are trimmed).
Beside, attacks on AES key scheduling make the assumption that the adversary can impose some transformation of the key that she chooses, when the standard and practically relevant assumption is that the adversary can not influence the choice of key. Under that assumption, as far as I know, all three variants of AES are within 3 bit of its original security goal.
I like TAOCP, a lot; mainly, because the material is so coherent, precise, well justified, and understandable enough. I spent many weeks reading sections of TAOCP; especially volume 2, on Semi-numerical algorithms; my copy has several post-it marks on techniques useful in my field (applied cryptography): wide multiplication algorithms, modular arithmetic including exponentiation, statistical tests. I also had significant uses of volume 1 (Fundamental Algorithm), which covers things such a tree, and hash tables; even purchasing the third edition, on top of the second.
That said, - _reading_ TAOCP from start to end is not something to consider lightly; perhaps if one has a year to spend. - I never caught on the use of MIX in some programs; I just skip this, and advise contemporary readers to do so, even if that's missing a part of the beauty.
The actual FCC noticel [FCC notice] has: (6) Plans With Information Sharing and Analysis Organizations. Plans to incorporate relevant outputs from Information Sharing and Analysis Organizations (ISAOs) as elements of the licensee's security architecture. Plans should include comment on machine-to-machine threat information sharing, and any use of anticipated standards for ISAO-based information sharing.
Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.
The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor.
I read what the FBI asks as: install a piece of code that allows the phone's content to be examined. I see no middle ground between
1) running such piece of code (probably: after getting it signed by Apple) is possible without the owner's passcode; the iPhone is in fact already backdoored, with Apple holding the key, the FBI wants Apple to exploit the vulnerability/open the backdoor, and Apple does not want to bow, because that's against their policy.
2) running a piece of code signed by Apple also requires he owner's passcode; then the solution pushed by the FBI just can't work.
If the facts where 2, Apple could just state this to the FBI, showing the source code as proof. The FBI would have no choice but take it as fact (perhaps they would ask a change in the future, but it would not help immediately for this iPhone). I conclude the true story is 1, and Apple slightly misrepresents things stating the FBI wants the creation of a backdoor, when there's already one, only well locked and never previously used for nefarious purposes.
The monolith is said to be "capable of generating up to 30,000 kilowatt hours of electricity per year". Let's ignore the "up to" part of that; with 8766h/year, that's 3.5kW, a little less than available from a single European 220V 16A plug.
While this is certainly a serious design issue, there is no immediate threat: the reactor where the issue was detected is being built, and is not yet loaded with fissile material.
The post says the canine is "trained to detect electronic devices".
That does not look as bogus a claim as training specifically for storage media: the chemicals used in the soldering, cleaning, and IC packaging conceivably could have a detectable smell.
The whole argument boils down to: a) there has recently been huge progress [*] in solving the Discrete Log Problem over fields of small characteristic; b) progress in solving the DLP have historically implied progress in factorization, and vice versa; c) factorization breaks RSA, and solving the DLP breaks DSA; d) thus RSA and DSA are dead, move to ECDSA.
The fallacy of it is that in b) and c), the DLP is exclusively over fields of huge characteristics (thousands of bits), making the algorithms in a) powerless. The slides do not hint at the faintest research lead towards moving to huge characteristics. Best argument is that "renewed interest could result in further improvements".
One the positive side, the author is honest: "I’m not a mathematician, I just play one on stage".
François Grieu
[*] See e.g. this recent paper and its references Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, Emmanuel Thomé: A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic http://hal.inria.fr/docs/00/83/54/46/PDF/quasi.pdf
From the article: "The top performing redox electrolyte (..) yielded output powers of 522 mW per square meter."
Seems that to get the 1 GW power of a nuclear reactor, one would need the active surface of a square of 43 kilometer side coated with that Cobalt stuff.
The original report says about the last vulnerability discussed (but not disclosed)
Indicators such as covert positioning, the use of special parameters, absence of log messages, facilitation of persistence, and apparent lack of legitimate purpose suggest that this vulnerability could be classified as a symmetric backdoor if malicious intent were to be established (which it has not).
I like the tone: they stop short of stating this is a deliberate backdoor of the worst kind, but give extremely convincing argument that it is one.
Ciphercould's DMCA takedown notice http://meta.crypto.stackexchange.com/a/258/555 rebuts that as wrong ("Ciphercloud's product is not deterministic"), with a key point at the beginning of page 3: "[detractor] implies that what was perceived from a public demo is Ciphercould's product offering".
Ciphercould's position is: you misjudged us from what we have shown, which is not the real thing.
If trading funny money and a bare-bones web interface is OK, there is Foresight Exchange (aka Ideosphere) which has worked almost flawlessly since 1994. http://www.ideosphere.com/
If this computer can decide to reboot itself, it must have now reached self-awareness!
Which of your design tricks are you proudest of?
on
Ask Steve Wozniak Anything
·
· Score: 5, Interesting
My favorite is the Apple ][ disk controller, most notably the read synchronization and decoding achieving 5, then ultimately 6 useful data bits per raw 8 bits, using little discrete logic and a small (P)ROM.
Nirsoft's free "SearchMyFiles" http://www.nirsoft.net/utils/search_my_files.html has a straightforward Find Duplicates mode which helped a lot. It is easy (the most "complex" is designating the base locations for searches as e.g. K:\;L:\;P:\;Q:\), fast, never crashed on me, and had only cosmetic issues ("del" key not working). I recommend running it with administrative privileges so that it does not miss files.
"..we describe a practical attack on XML Encryption, which allows to decrypt a ciphertext by sending related ciphertexts to a Web Service and evaluating the server response. We show that an adversary can decrypt a ciphertext by performing only 14 requests per plaintext byte on average."
CA does not guarantee that there is no MITM either
Can you please explain, preferably with a link to a reference? Common wisdom is that good CA + SSL should protect against MITM, including if the DNS service is comprimized.
*NOT* related to the recent crypto break
on
FreeBSD Running On PS3
·
· Score: 5, Informative
This is *NOT* related to the recent crypto break, as demonstrated by the release note stating
Supported hardware:Sony Playstation 3 Fat, firmware version 3.21
Slashdot Mirror
Universal Windows Platform (UWP) apps where supposed to run on Windows 10 Mobile. Do they remain relevant? Have they ever been?
I wonder what supports:
in fact because of this [key scheduling] weakness, AES-256 may be even less secure than AES-192
No attack that I know makes AES-256 weaker than AES-192, or anything close to that (unless some rounds are trimmed).
Beside, attacks on AES key scheduling make the assumption that the adversary can impose some transformation of the key that she chooses, when the standard and practically relevant assumption is that the adversary can not influence the choice of key. Under that assumption, as far as I know, all three variants of AES are within 3 bit of its original security goal.
The Naked Ape (a Zoologist's Study of the Human Animal), by Desmond Morris, 1967.
The Selfish Gene, by Richard Dawkins, 1976.
These give clues about what we are, and why.
I like TAOCP, a lot; mainly, because the material is so coherent, precise, well justified, and understandable enough. I spent many weeks reading sections of TAOCP; especially volume 2, on Semi-numerical algorithms; my copy has several post-it marks on techniques useful in my field (applied cryptography): wide multiplication algorithms, modular arithmetic including exponentiation, statistical tests.
I also had significant uses of volume 1 (Fundamental Algorithm), which covers things such a tree, and hash tables; even purchasing the third edition, on top of the second.
That said,
- _reading_ TAOCP from start to end is not something to consider lightly; perhaps if one has a year to spend.
- I never caught on the use of MIX in some programs; I just skip this, and advise contemporary readers to do so, even if that's missing a part of the beauty.
The actual FCC noticel [FCC notice] has:
(6) Plans With Information Sharing and Analysis Organizations.
Plans to incorporate relevant outputs from Information Sharing and Analysis Organizations (ISAOs) as elements of the licensee's security architecture. Plans should include comment on machine-to-machine threat information sharing, and any use of anticipated standards for ISAO-based information sharing.
What's an ISAO? Here's what the DHS has to say. Short summary: Big Brother.
There is something that does not add up in Apple's discourse at http://www.apple.com/customer-...
Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.
The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor.
I read what the FBI asks as: install a piece of code that allows the phone's content to be examined. I see no middle ground between
1) running such piece of code (probably: after getting it signed by Apple) is possible without the owner's passcode; the iPhone is in fact already backdoored, with Apple holding the key, the FBI wants Apple to exploit the vulnerability/open the backdoor, and Apple does not want to bow, because that's against their policy.
2) running a piece of code signed by Apple also requires he owner's passcode; then the solution pushed by the FBI just can't work.
If the facts where 2, Apple could just state this to the FBI, showing the source code as proof. The FBI would have no choice but take it as fact (perhaps they would ask a change in the future, but it would not help immediately for this iPhone). I conclude the true story is 1, and Apple slightly misrepresents things stating the FBI wants the creation of a backdoor, when there's already one, only well locked and never previously used for nefarious purposes.
The monolith is said to be "capable of generating up to 30,000 kilowatt hours of electricity per year". Let's ignore the "up to" part of that; with 8766h/year, that's 3.5kW, a little less than available from a single European 220V 16A plug.
Nope. NaN. We have NaN. The answer is NaN. 0/0? NaN. 1/0? Also NaN. Just fucking use NaN.
I wish I could moderate that one up! Where are those moderator points when you need them most?
While this is certainly a serious design issue, there is no immediate threat: the reactor where the issue was detected is being built, and is not yet loaded with fissile material.
> "freed the world from ever depending on paper maps or confusing directions from relatives again"
It's entirely plausible that GPS, or any equivalent, will die before minkind does. Mad Max, seen it?
In addition to isight's blog
there's an article in Wired
Apparently the Rhode Island State Police posted a photo and plausible statement:
https://www.facebook.com/Rhode...
The post says the canine is "trained to detect electronic devices".
That does not look as bogus a claim as training specifically for storage media: the chemicals used in the soldering, cleaning, and IC packaging conceivably could have a detectable smell.
The whole thing is unsubstantiated FUD. I base my judgment on the slides at
https://media.blackhat.com/us-13/us-13-Stamos-The-Factoring-Dead.pdf
The whole argument boils down to:
a) there has recently been huge progress [*] in solving the Discrete Log Problem over fields of small characteristic;
b) progress in solving the DLP have historically implied progress in factorization, and vice versa;
c) factorization breaks RSA, and solving the DLP breaks DSA;
d) thus RSA and DSA are dead, move to ECDSA.
The fallacy of it is that in b) and c), the DLP is exclusively over fields of huge characteristics (thousands of bits), making the algorithms in a) powerless. The slides do not hint at the faintest research lead towards moving to huge characteristics. Best argument is that "renewed interest could result in further improvements".
One the positive side, the author is honest: "I’m not a mathematician, I just play one on stage".
François Grieu
[*] See e.g. this recent paper and its references
Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, Emmanuel Thomé: A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic
http://hal.inria.fr/docs/00/83/54/46/PDF/quasi.pdf
From the article: "The top performing redox electrolyte (..) yielded output powers of 522 mW per square meter."
Seems that to get the 1 GW power of a nuclear reactor, one would need the active surface of a square of 43 kilometer side coated with that Cobalt stuff.
The original report says about the last vulnerability discussed (but not disclosed)
Indicators such as covert positioning, the use of special parameters, absence of log messages, facilitation of persistence, and apparent lack of legitimate purpose suggest that this vulnerability could be classified as a symmetric backdoor if malicious intent were to be established (which it has not).
I like the tone: they stop short of stating this is a deliberate backdoor of the worst kind, but give extremely convincing argument that it is one.
The taken-down images, and the promotional video around 2:53
http://pages.ciphercloud.com/AnyAppfiveminutesdemo.html?aliId=1
make it clear that in these promotional materials, identical plaintext leads to identical ciphertext.
Ciphercould's DMCA takedown notice
http://meta.crypto.stackexchange.com/a/258/555
rebuts that as wrong ("Ciphercloud's product is not deterministic"), with a key point at the beginning of page 3:
"[detractor] implies that what was perceived from a public demo is Ciphercould's product offering".
Ciphercould's position is: you misjudged us from what we have shown, which is not the real thing.
If trading funny money and a bare-bones web interface is OK, there is Foresight Exchange (aka Ideosphere) which has worked almost flawlessly since 1994.
http://www.ideosphere.com/
If this computer can decide to reboot itself, it must have now reached self-awareness!
My favorite is the Apple ][ disk controller, most notably the read synchronization and decoding achieving 5, then ultimately 6 useful data bits per raw 8 bits, using little discrete logic and a small (P)ROM.
Recently had this situation.
Nirsoft's free "SearchMyFiles" http://www.nirsoft.net/utils/search_my_files.html has a straightforward Find Duplicates mode which helped a lot. It is easy (the most "complex" is designating the base locations for searches as e.g. K:\;L:\;P:\;Q:\), fast, never crashed on me, and had only cosmetic issues ("del" key not working). I recommend running it with administrative privileges so that it does not miss files.
AMD just clarified that Bulldozer does have 2 billion transistors after all, but only 1.2 billion work.
Link please?
http://dl.acm.org/citation.cfm?id=2046756
"..we describe a practical attack on XML Encryption, which allows to decrypt a ciphertext by sending related ciphertexts to a Web Service and evaluating the server response. We show that an adversary can decrypt a ciphertext by performing only 14 requests per plaintext byte on average."
Impressive!
I now see your point: a CAs does not guarantee against MITM in the same way a safe does not guarantee against robbery.
CA does not guarantee that there is no MITM either
Can you please explain, preferably with a link to a reference?
Common wisdom is that good CA + SSL should protect against MITM, including if the DNS service is comprimized.
This is *NOT* related to the recent crypto break, as demonstrated by the release note stating
Supported hardware:Sony Playstation 3 Fat, firmware version 3.21
Francois Grieu