Kevin | 26 Mar 20:48 2015

triangular Encryption of Data

This email is free from viruses and malware because avast! Antivirus protection is active.
John Young | 23 Mar 23:47 2015

NSA Pre-Releases 24 William Friedman Docs, 909 pp

NSA Pre-Releases William Friedman Docs 909 pp (PDF, 50MB)

24 Papers of 52,000 pp due in April 2015
cryptography mailing list
Adam Caudill | 21 Mar 22:44 2015

Underhanded Crypto Contest - All Entries Published

FYI - All of the entries received for the Underhanded Crypto Contest have now been published. See here for the list and downloads:

--Adam Caudill
cryptography mailing list
John Levine | 21 Mar 22:14 2015

Re: [Cryptography] IBM looking at adopting bitcoin technology for major currencies

In article <0F84F471-A996-41ED-AF73-30C53B6583AD@...> you write:
>Did you hear about how the Fed would not allow Germany to visit to audit their
>gold, eventually, German personnel were allowed to stand in the door way of only
>one of their vaults, but not enter and randomly inspect their bars. ...  

Yes.  Great story, other than the minor detail that it is mostly
false.  Here's a story from Der Speigel, an actual news magazine, that
is a lot more credible than the nonsense you find on gold bug blogs.

Also see this story in which German gold bug Peter Boehringer has an
impressive array of conspiracy theories about missing German gold,
except that it's all there.

Kevin | 19 Mar 20:33 2015

Unbreakable crypto?

This software uses the one-time pad.  Have any of you seen this?

This email is free from viruses and malware because avast! Antivirus protection is active.

Mixing multiple password hashing: Crypto Blasphemy or Useful approach?

Hi all,

i've been brainstorming on the different way to apply a KDF in a "strong enough way" and i see that each approach has it's advantage and disadvantages in terms of speed, in terms of FPGA/ASIC protection, in terms of crypto primitives being used.

I'm wondering if it's smart or stupid to think/apply a password-hashing system that apply multiple password-hashing schema based on different cryptographic primitives in sequence, as a way to force the attacker willing to FPGA/ASICize the bruteforcing process, to need to implement multiple cracking infrastructure.

I don't have the cryptographic knowledge to design something on my own, but i'm asking if "this approach" make sense.

Let's assume something like that, assuming that could take 10-20s on a modern computer:

step0: 3s of scrypt
step1: 10.000 round of SHA256
step2: 10.000 round of SHA512
step3: 10.000 round of Whirpool (even if broken)
step4: 10.000 round of Blake2
step5  10.000 round of Keccak (SHA3)
step7: 10.000 round of HKDF (In WebCrypto API)
step6: 10.000 round of PKDF2 (in WebCrypto API)

Each single hashing algorithm and KDF functions provide a specific set of protection against specific set of attacks.

An adversary that want to build ASIC or FPGA cluster, would really require to build many specialized clusters rather than one very focused cracking-cluster (ie: to attack SHA256).

A "Meta KDF" function like that could bring much more complexity on the attacker side by requiring the attacker to employ multiple attack vectors to attack the cryptosystem.

The approach previously described, from a real world attack scenario perspective, does make sense as a "on steroid key-stretching" approach?

-- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights - - -
cryptography mailing list

SRP 6a + storage of password's related material strength?

Hi all,

SRP is a very cool authentication protocol, not yet widely deployed, but
with very interesting properties.

I'm wondering how strong is considered the storage of the password's
related material strength?

I mean, from a passive/offline brute forcing perspective, how can be
compared scrypt vs. SRP's server-side storage of passwords?

Does anyone ever considered that kind of problem?

Because SRP protocol is cool, but i'm really wondering if the default
methods are "strong enough" against bruteforcing.


Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights - - -
Eren Türkay | 11 Mar 13:46 2015

PPTP Security


I was wondering the security of PPTP. I know that MSCHAPv2 is vulnerable
and it is not recommended to use MSCHAPv2 alone [0][1]. The recommended
solution seems to use MSCHAPv2+PEAP accordingly to Microsoft but I'm not
sure how secure it is as I don't know the state of MSCHAPv2+PEAP. Does
anyone know about MSCHAPv2+PEAP implementation and security of it?

I am thinking of migrating to OpenVPN but it takes a little bit time
configuring the routers. The reason why PPTP was selected in the first
place was the ease of configuration.




Eren Türkay, System Administrator | +90 212 483 7555

Yildiz Teknik Universitesi Davutpasa Kampusu
Teknopark Bolgesi, D2 Blok No:107
Esenler, Istanbul Pk.34220

cryptography mailing list

Javascript Password Hashing: Scrypt with WebCrypto API?

Hi all,

at GlobaLeaks we're undergoing implementation of client-side encryption
with server-side storage of PGP Private keys.

Obviously the hashing to be used for storing such PGP private keys has
to be strong enough, with valuable key-stretching approach.

We're now considering using Scrypt with some finely tuned parameters,
but we've concern regarding it's performance in the browser as a JS

PBKDF2 is available from WebCrypto API and, as far as i read and
understand but i'm not that low-level-crypto expert, is used internally
to scrypt.

Does anyone know of any scrypt implementation that try to leverage the
WebCrypto API?


Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights - - -
John Young | 10 Mar 18:08 2015

NSA black budget cryptanalysis

The Intercept file on NSA black budget cryptanalysis

Included in the Zip file previously posted.
John Young | 10 Mar 12:38 2015

NSA Apple DPA Cryptanalysis

The Intercept has released files on Apple, DPA and other
cryptanalysis: (12pp, 1.9MB)