John Young | 7 Oct 21:22 2015

Axe Campaigne Oral History

Oral history of Howard Campaigne, NSA-OH-20-83, not among those 
released yesterday, from June 2014. Scratch it. 
Thierry Moreau | 23 Sep 15:33 2015

Curious about FIDO Alliance authentication scheme


Here is a quick review of the FIDO alliance authentication proposal [1]. 
After looking superficially at the specifications documentation [2], I 
came to the tentative summary below. I did not feel a need to delve into 
the companion documentation set [3].

Core cryptographic principles:

(A) The scheme uses public key crypto signatures (PK signatures) without 
security certificates, for client authentication, in client-server 

(B) Each server entity (relying party) maintains its own database of 
public keys to account identity relationships.

(C) The scheme documentation suggests a unique PK signature key pair for 
each triplet <client,server,device>.

(D) Account registration is devoid of special provisions for client 
identity verification: client device selects a PK signature key pair, 
signs a protocol-negotiation-derived context-dependent data stream and 
that's it.

Best practice security principles:

(E) The scheme documentation includes a taxonomy of mechanisms with 
which the client device may protect the activation of the device PK 
digital signature capability.

(Continue reading)

John Young | 18 Sep 12:57 2015

Key Compromise Related to Architectural Work Not Cryptome

18 September 2015

Key compromise is related to our architectural work on NYC No. 7
Subway Line Extension, recently opened. Project had hundreds of
designers from around the world with access to files. Security of
the project is primary and its design is not public. Extent of
subway system security and file protection is restricted to
need to know.

JYA and Cryptome passphrases remain secure. Key revocation done
for caution.

John Young | 17 Sep 13:12 2015

JYA and Cryptome Passphrase Are Secure

JYA and Cryptome passphrases are secure. Plaintext discovered
not related to Cryptome, with alternative to decrypt: original not

John Young | 15 Sep 21:04 2015

JYA and Cryptome Keys Compromised

15 September 2015

I have learned today that all PGP public keys of John Young
<jya@...> and Cryptome
<cryptome@...> have been
The keys have been revoked today.

Two new keys have been generated today:

John Young 15-0915 <jya@...> 0xD87D436C
Cryptome 15-0915 <cryptome@...> 0x8CD47BD5

This message is signed by the first.

Georgi Guninski | 5 Sep 13:04 2015

RFC-2631, fips 186-3 and openssl's implementation of DSA appear broken (and possibly backdoored)

Per discussions on cypherpunks and this blog:

The discsussion, certs and keys are at this thread:

1. RFC-2631 Diffie-Hellman Key Agreement Method

The main problem appears:

2.2.2.  Group Parameter Validation
   The ASN.1 for DH keys in [PKIX] includes elements j and validation-
   Parms which MAY be used by recipients of a key to verify that the
   group parameters were correctly generated. Two checks are possible:

     1. Verify that p=qj + 1. This demonstrates that the parameters meet
        the X9.42 parameter criteria.
     2. Verify that when the p,q generation procedure of [FIPS-186]
        Appendix 2 is followed with seed 'seed', that p is found when
        'counter' = pgenCounter.

The main problem appears MAY.

As I read it, implementation MAY NOT verify it.

Sketch of the attack:

(Continue reading)

Ryan Carboni | 30 Aug 07:51 2015

Doesn't Simon look similar to MD5?

Doesn't Simon look similar to MD5? Sure, it includes a few more
rotates and less additions, but it looks pretty close to one of MD5's
F-functions. Or maybe Ripemd.

Interestingly, it wouldn't take much to convert Simon into a Type-1
feistel network of state size 256 bits (although I'd use Speck's key
schedule). Even more interestingly, extended MD4 shows that it is
harder to cryptanalyze double branch hash functions than a single one.
While obvious, the only difference between MD4 and extended MD4 is a
different set of round constants, yet the cryptanalytic cost of
collision is 2^1 for MD4, and 2^37 for extended MD4, while preimage is
2^107 for MD4 and 2^243 for extended MD4.

This is despite that theoretically two parallel hash functions should
have cryptanalytic efficacy equal to the stronger of the two hash

Personally I'm in favor for a serial round function before a parallel
round function to increase diffusion per cycle count in software. So
maybe convert Simon into a Type-1 feistel network for 32 rounds, and
convert it to a Type-2 feistel network for an additional 32 rounds. It
would also have the benefit of increasing the difficult of finding
trails as it is technically two different ciphers.

Although I'm waiting for chosen key cryptanalysis for Simon, it is
afterall meant to be implemented in RFID chips, which means very weak
key generation.
John Young | 17 Aug 18:53 2015

CNSS Issues Memo on Shift to Quantum-Resistant Cryptography

CNSS Advisory Memo on Use of Public Standards for Secure Sharing of Information Among NatSec Systems 08/11/15

This Advisory expands on the guidance contained in CNSS Policy No. 15, National Information Assurance Policy on the Use of Public Standards for the Secure Sharing of Information Among National Security Systems (Reference a). Based on analysis of the effect of quantum computing on Information Assurance (IA) and IA-enabled Information Technology (IT) products, the policy
cryptography mailing list
Ron Garret | 7 Aug 00:13 2015

Announcing a command-line version of SC4

SC4 is my attempt to produce a minimalist and super-easy-to-use replacement for PGP using TweetNaCl as the
core crypto.  The original SC4 was a web application.  Since crypto in the browser makes a lot of people
queasy, I have produced a command-line version written in Python.  It uses the C TweetNaCl library (the web
version obviously had to use a Javascript port).  Python is only used to implement the UI.  You can find
SC4-PY, along with the original web version of SC4, on github:

NOTE: This is an ALPHA release.  It has undergone only very cursory testing (I would really appreciate some
help with that, actually).  The web version of SC4 has been audited, but the Python version has not (though
it was mostly ported directly from the Javascript implementation, so it should not have any gaping holes).

Feedback of all sorts very much appreciated.

Dave Horsfall | 6 Aug 08:02 2015

Book of possible interest

Spreading the word, as it were...  The list is where RTTY idiots like me 
hang out.

Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."
Watson never said: "I think there is a world market for maybe five computers."

---------- Forwarded message ----------
Date: Wed, 05 Aug 2015 09:57:13 -0400
From: Jim Reeds
To: greenkeys <at> 
Subject: [GreenKeys] Book of possible interest

I am a long-time lurker, and have just helped publish a book that might be 
of interest to list members:

Breaking Teleprinter Ciphers at Bletchley Park: An edition of I.J. Good, 
D. Michie and G. Timms: General Report on Tunny with Emphasis on 
Statistical Methods (1945)"

 James A. Reeds (Editor), Whitfield Diffie (Editor), J. V. Field (Editor)

IEEE/Wiley Press, July 2015.

for details.)


Jim Reeds

Florian Weimer | 5 Aug 22:35 2015

Word-boundary-sensitive hashing

Suppose I have a sequence of words over some alphabet, and I want to
compute a cryptographically secure hash over that.  Simply
concatenating the hashes to form a single word does not work because
the word boundaries might have been meaningful and not implicit in the
inputs, and then you have second preimages etc.  I guess this is why
we have DER, among other reasons.

I've been asked to provide some citation for this observation, but I
can't find a proper reference.  Any suggestions?