Page Summary
Active Entries
- 1: Interesting Links for 04-09-2025
- 2: Interesting Links for 03-09-2025
- 3: Interesting Links for 01-09-2025
- 4: Life with two kids: A matter of probability
- 5: Interesting Links for 29-08-2025
- 6: Interesting Links for 31-08-2025
- 7: Interesting Links for 26-08-2025
- 8: Interesting Links for 27-08-2025
- 9: Musical interlude with a room full of children
- 10: Photo cross-post
Style Credit
- Style: Neutral Good for Practicality by
Expand Cut Tags
No cut tags
no subject
Date: 2003-05-31 08:04 am (UTC)no subject
Date: 2003-06-01 04:54 am (UTC)and I need the duck's, too.
no subject
Date: 2003-06-01 06:46 am (UTC)no subject
Date: 2003-06-01 02:34 pm (UTC)no subject
Date: 2003-06-01 03:45 pm (UTC)A good sign here would be an encrypt-then-MAC combination of a known good encryption scheme, such as CBC or CTR mode, and a known good MAC, such as HMAC-SHA1, XCBC or OMAC. Rogaway and Wagner's EAX mode looks like a good choice, though they've yet to publish the proofs; Ferguson and Whiting's CCM is a feasable alternative though there are issues with it.
They use a different IV for each direction; best practice usually involves using a different key. And of course if they're reusing the same IV for different messages, as this seems to indicate, then they've really screwed up.
The choice of Blowfish instead of AES is also a bit weird in 2003 - to me it suggest either you've not been listening to the winds of change in the crypto world, or you're wearing a tinfoil helmet.
They say "Another unique feature is the way session keys are exchanged and combined so that in order to decrypt past (recorded) traffic, both private keys of a connection need to be recovered", which to me indicates that they don't know what perfect forward secrecy is.
These things give me a bad feeling, especially since there seems to be no reason to home brew a protocol rather than using SSL. I can see a dozen places in their protocol description where someone who knows about as much crypto as these people seem to could screw up. For example:
They don't say anything about what sort of padding they've used with RSA. I wouldn't be surprised if they were using raw RSA, which is insecure - if the thing about the "dictionary attack" means what I think it means then it's woefully insecure and they are fooling themselves badly about this "seems decent" thing.
TBH I'm starting to treat RSA as a warning sign in and of itself these days - it's widely used mostly because it's famous, and I can't think of any way it's better than, say, Rabin, which is always faster, and which unlike RSA and has a provable reduction to factoring.
There are many ways to misdesign a challenge-response protocol. Worst case, you provide a decryption oracle. If you provide real message integrity, then your initial "hello" messages will work in place of a challenge-response.
That's enough typing for now...