nemo_outis <abc@xyz.com> wrote:
>And in light of that, I don't see how "careful analysis" of hardware
>is any easier than careful analysis of software.
Fact 1: Careful analysis is hard and expensive.
Fact 2: The cost of a careful analysis of your security requirements must
be borne by you alone.
Fact 3: Suitable hardware solutions _may_ make this analysis cheaper.
Fact 4: The cost of a careful analysis of commodity software and hardware
can be shared by all buyers of said software/hardware.
From these facts, it may follow that a hardware solution is cheaper than
a software solution. Or it may not.
On Mon, 18 Feb 2008 08:40:12 +0100, Kristian Gjøsteen wrote:
> Sebastian G. <seppi@seppig.de> wrote:
>>Kristian Gjøsteen wrote:
>>
>>> rossum <rossum48@coldmail.com> wrote:
>>>> I was hoping for something more specific about some sort of attack on
>>>> Twofish.
>>>
>>> No. No attacks are known on Twofish.
>>
>>Mr. Schneier may not want to acknowledge them, but I think the
>>distinguishing attack with 2^52 chosen plaintexts and 2^70 steps is pretty
>>serious.
>
> The last time you claimed Twofish broken, the reference you provided
> said no such thing. Is this merely a figment of your imagination or
> another misreading/mischaracterisation of an honest scientific work?
>
> PS. I'm still waiting for a reference to the claim that AES-256 with 16
> rounds is vulnerable to differential cryptanalysis.
You ain't gonna get it, Sebastian's on another one of his spazo-reflex
posts.
On 18 Feb 2008 04:59:40 +0100, Cyberiade.it Anonymous Remailer wrote:
> Krazee Brenda wrote:
>
>> On Sun, 17 Feb 2008 16:53:16 +0100 (CET), George Orwell wrote:
>>
>>>> Like to take me on in a conversation about cryptology?
>>>
>>> You betcha I do.
>>
>> SHUDDUP Moron, I wasn't talking to you.
>
> In other words you're tucking tail and running away from your own empty
> challenge.
>
> Nothing to see here folks...
On Mon, 18 Feb 2008 02:57:22 +0000, me@privacy.net wrote:
> Nomen Nescio wrote:
>>
>>me@privacy.net wrote:
>>
>>> Krazee Brenda wrote:
>>> >
>>> >On Fri, 15 Feb 2008 18:29:41 +0000, me@privacy.net wrote:
>>> >
>>> >> I have a simple text file, less than 64KB, containing all the
>>> >> unique passwords I use for websites. I want to encrypt it in as
>>> >> secure a manner as possible on a Windows XP box. I don't need
>>> >> all these other fancy features, just a simple "type in my
>>> >> passphrase, see the text file" system. Any recommendations?
>>> >> It doesn't need to be free.
>>> >
>>> >Axcrypt, Twofish (with GUI)
>>>
>>> Are you saying Axcrypt uses Twofish? The web page at
>>> http://www.axantum.com/AxCrypt/Features.html says that
>>> it uses AES encryption with 128-bit keys.
>>
>>A perfect example of why you shouldn't rely on clueless rubes for
>>technical information, especially concerning security software..
>
> It is hard to tell which are the clueless rubes when one is himself
> a clueless noob...
>
> A google search makes me believe that Axecrypt is a program that
> I can download and run, while Twofish is an algorithm that some
> programs are based upon. Simply putting the two words in a row
> with a comma in between is not clear writing, thus my query as to
> the intended meaning.
Twofish implementation has an executable. Axecrypt is Axcrypt, open source,
executable. Opus, same; Dozens other (Valise e.g.) same.
Kristian Gjøsteen <kristiag+news@math.ntnu.no> wrote in
news:aqpn85-4fd2.ln1@fimf-h28.math.ntnu.no:
> nemo_outis <abc@xyz.com> wrote:
>>And in light of that, I don't see how "careful analysis" of hardware
>>is any easier than careful analysis of software.
>
> Fact 1: Careful analysis is hard and expensive.
>
> Fact 2: The cost of a careful analysis of your security requirements
> must
> be borne by you alone.
>
> Fact 3: Suitable hardware solutions _may_ make this analysis cheaper.
>
> Fact 4: The cost of a careful analysis of commodity software and
> hardware
> can be shared by all buyers of said software/hardware.
>
> From these facts, it may follow that a hardware solution is cheaper
> than a software solution. Or it may not.
>
Neither hardware nor software should be discarded out of hand without
careful analysis and consideration of their merits and demerits for the
particular security application. And while this task may be delegated,
responsibiity for its proper execution cannot - this is a corollary of
the fact that one is always ultimately responsible for one's own
security. (Of course, delegation raises a host of other issues from
general management and supervision, through project control, to trust
and control.)
However, some broad trends emerge quickly without deep analysis, such as
that open source hardware security solutions are very uncommon while
open source software ones are far more available. This appears to
militate against using specialized hardware security solutions (except
to a limited degree) especially if the threat model includes state
actors such as intelligence agencies or law enforcement who may have
access to backdoors (indeed, may have coerced or coopted the
manufacturer into putting them there in the first place). Moreover,
even the process of acquisition of specialized security hardware may
raise one's profile to an unacceptable degree.
While there will always be exceptions to meet particular needs, I prefer
a broad strategy of open-source security software running on generic
non-specialized commodity hardware.
>
>
>
> Nomen Nescio wrote:
> >
> >me@privacy.net wrote:
> >
> >> Krazee Brenda wrote:
> >> >
> >> >On Fri, 15 Feb 2008 18:29:41 +0000, me@privacy.net wrote:
> >> >
> >> >> I have a simple text file, less than 64KB, containing all
> >> >> the unique passwords I use for websites. I want to encrypt
> >> >> it in as secure a manner as possible on a Windows XP box.
> >> >> I don't need all these other fancy features, just a simple
> >> >> "type in my passphrase, see the text file" system. Any
> >> >> recommendations? It doesn't need to be free.
> >> >
> >> >Axcrypt, Twofish (with GUI)
> >>
> >> Are you saying Axcrypt uses Twofish? The web page at
> >> http://www.axantum.com/AxCrypt/Features.html says that
> >> it uses AES encryption with 128-bit keys.
> >
> >A perfect example of why you shouldn't rely on clueless rubes for
> >technical information, especially concerning security software..
>
> It is hard to tell which are the clueless rubes when one is
> himself a clueless noob...
Sorry about your problems and everything, but why do you think
they're important enough to bring up?
Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info https://www.mixmaster.it
> On 18 Feb 2008 04:59:40 +0100, Cyberiade.it Anonymous Remailer wrote:
>
> > Krazee Brenda wrote:
> >
> >> On Sun, 17 Feb 2008 16:53:16 +0100 (CET), George Orwell wrote:
> >>
> >>>> Like to take me on in a conversation about cryptology?
> >>>
> >>> You betcha I do.
> >>
> >> SHUDDUP Moron, I wasn't talking to you.
> >
> > In other words you're tucking tail and running away from your own empty
> > challenge.
> >
> > Nothing to see here folks...
>
> Damn, you ate the shit and I missed it?
Blame it on the bar code security at your 40 acre nuclear test
facility.
>
>
>
> Bear Bottoms wrote:
>
> >Would it be too much to ask to carry this discussion on in
> >your primary ng and leave alt.comp.freeware out of this?
>
> Done.
> On Mon, 18 Feb 2008 01:19:21 +0100, "Sebastian G." <seppi@seppig.de>
> wrote:
>
>> Kristian Gjøsteen wrote:
>>
>>> rossum <rossum48@coldmail.com> wrote:
>>>> I was hoping for something more specific about some sort of attack on
>>>> Twofish.
>>> No. No attacks are known on Twofish.
>> Mr. Schneier may not want to acknowledge them, but I think the
>> distinguishing attack with 2^52 chosen plaintexts and 2^70 steps is pretty
>> serious.
> Reference/source please.
> Sebastian G. wrote:
>> Mr. Schneier may not want to acknowledge them, but I think the
>> distinguishing attack with 2^52 chosen plaintexts and 2^70 steps is pretty
>> serious.
>
> I can't recall any such attack on the full Twofish. Citation, please.
> Sebastian G. <seppi@seppig.de> wrote:
>> Kristian Gjøsteen wrote:
>>
>>> rossum <rossum48@coldmail.com> wrote:
>>>> I was hoping for something more specific about some sort of attack on
>>>> Twofish.
>>> No. No attacks are known on Twofish.
>> Mr. Schneier may not want to acknowledge them, but I think the
>> distinguishing attack with 2^52 chosen plaintexts and 2^70 steps is pretty
>> serious.
>
> The last time you claimed Twofish broken, the reference you provided
> said no such thing. Is this merely a figment of your imagination or
> another misreading/mischaracterisation of an honest scientific work?
Sebastian G. <seppi@seppig.de> wrote:
>Kristian Gjøsteen wrote:
>
>> Sebastian G. <seppi@seppig.de> wrote:
>>> Kristian Gjøsteen wrote:
>>>
>>>> rossum <rossum48@coldmail.com> wrote:
>>>>> I was hoping for something more specific about some sort of attack on
>>>>> Twofish.
>>>> No. No attacks are known on Twofish.
>>> Mr. Schneier may not want to acknowledge them, but I think the
>>> distinguishing attack with 2^52 chosen plaintexts and 2^70 steps is pretty
>>> serious.
>>
>> The last time you claimed Twofish broken, the reference you provided
>> said no such thing. Is this merely a figment of your imagination or
>> another misreading/mischaracterisation of an honest scientific work?
>
>http://www.schneier.com/twofish-analysis-shiho.pdf
It's mischaracterisation, then. It's quite amazing that, even when
the paper does not claim attacks against Twofish, you claim that it has
attacks against Twofish. And furthermore, it's the same reference you
provided last time. This isn't even funny.
>> PS. I'm still waiting for a reference to the claim that AES-256 with 16
>> rounds is vulnerable to differential cryptanalysis.
>
>I didn't claim it vulnerable; the attack is just a space-time-tradeoff.
Quoting <61iqi2F1v5avoU1@mid.dfncis.de>:
Par example AES-256 has 14 rounds with no known differential
or linear attack, but if you raise it to 16 rounds there's a
differential attack with 2^64 chosen plaintexts and 2^192 steps.
So you didn't claim it vulnerable? And it's not a differential attack,
it's a space-time-tradeoff.
On Mon, 18 Feb 2008 12:50:30 +0100, "Sebastian G." <seppi@seppig.de>
wrote:
>rossum wrote:
>
>> On Mon, 18 Feb 2008 01:19:21 +0100, "Sebastian G." <seppi@seppig.de>
>> wrote:
>>
>>> Kristian Gjøsteen wrote:
>>>
>>>> rossum <rossum48@coldmail.com> wrote:
>>>>> I was hoping for something more specific about some sort of attack on
>>>>> Twofish.
>>>> No. No attacks are known on Twofish.
>>> Mr. Schneier may not want to acknowledge them, but I think the
>>> distinguishing attack with 2^52 chosen plaintexts and 2^70 steps is pretty
>>> serious.
>> Reference/source please.
>
>http://www.schneier.com/twofish-analysis-shiho.pdf
On Mon, 18 Feb 2008 12:52:32 +0100, Sebastian G. wrote:
> http://www.schneier.com/twofish-analysis-shiho.pdf
>
>
>> PS. I'm still waiting for a reference to the claim that AES-256 with 16
>> rounds is vulnerable to differential cryptanalysis.
>
> I didn't claim it vulnerable; the attack is just a space-time-tradeoff. And
> sorry, I had a lot of work recently.
On Mon, 18 Feb 2008 10:30:04 +0100 (CET), Nomen Nescio wrote:
> Ari wrote:
>
>> On 18 Feb 2008 04:59:40 +0100, Cyberiade.it Anonymous Remailer wrote:
>>
>>> Krazee Brenda wrote:
>>>
>>>> On Sun, 17 Feb 2008 16:53:16 +0100 (CET), George Orwell wrote:
>>>>
>>>>>> Like to take me on in a conversation about cryptology?
>>>>>
>>>>> You betcha I do.
>>>>
>>>> SHUDDUP Moron, I wasn't talking to you.
>>>
>>> In other words you're tucking tail and running away from your own empty
>>> challenge.
>>>
>>> Nothing to see here folks...
>>
>> Damn, you ate the shit and I missed it?
>
> Blame it on the bar code security at your 40 acre nuclear test
> facility.
George Orwell wrote:
>
>me@privacy.net wrote:
>
>> Nomen Nescio wrote:
>>
>> >A perfect example of why you shouldn't rely on clueless rubes for
>> >technical information, especially concerning security software..
>>
>> It is hard to tell which are the clueless rubes when one is
>> himself a clueless noob...
>
>Sorry about your problems and everything, but why do you think
>they're important enough to bring up?
Let me see if I get this straight:
If I admit that I am a clueless noob, you criticize me for
admitting that I am a clueless noob, but other people take
the time to explain what they are talking about in such a
way that a clueless noob can understand.
If I try to hide the fact that I am a clueless noob, you
criticize me for asking the kinds of stupid questions that
a clueless noob asks, *and* I get a bunch of answers that
are over my head.
>> http://www.schneier.com/twofish-analysis-shiho.pdf
>
> It's mischaracterisation, then. It's quite amazing that, even when
> the paper does not claim attacks against Twofish, you claim that it has
> attacks against Twofish.
Aside from the fact that it attacks a generalized version of TwoFish and is
the second or three parts of a cryptoanalysis on TwoFish by Moriai and Yin...
> And furthermore, it's the same reference you
> provided last time. This isn't even funny.
And my opinion hasn't changed. It is some serious work by some serious
people, and Mr. Schneier still fails to give any reason why he thinks this
attack doesn't apply to TwoFish.
>>> PS. I'm still waiting for a reference to the claim that AES-256 with 16
>>> rounds is vulnerable to differential cryptanalysis.
>> I didn't claim it vulnerable; the attack is just a space-time-tradeoff.
>
> Quoting <61iqi2F1v5avoU1@mid.dfncis.de>:
>
> Par example AES-256 has 14 rounds with no known differential
> or linear attack, but if you raise it to 16 rounds there's a
> differential attack with 2^64 chosen plaintexts and 2^192 steps.
>
> So you didn't claim it vulnerable?
No. Can't you read?
> And it's not a differential attack, it's a space-time-tradeoff.
Yes, due to a differential attack. A cryptographically secure cipher
shouldn't omit such characteristics. The reason why it doesn't matter is
that 2^64 is still much beyond practical, and will probably stay so for the
supposed time of usage for AES.
Sebastian G. <seppi@seppig.de> wrote:
>Kristian Gjøsteen wrote:
Please don't mess up the attributions!
>>> http://www.schneier.com/twofish-analysis-shiho.pdf
>>
>> It's mischaracterisation, then. It's quite amazing that, even when
>> the paper does not claim attacks against Twofish, you claim that it has
>> attacks against Twofish.
>
>Aside from the fact that it attacks a generalized version of TwoFish and is
>the second or three parts of a cryptoanalysis on TwoFish by Moriai and Yin...
To support the claim that there are attacks against Twofish, you refer
to, out of a three-part series, the part that doesn't have an attack
on Twofish? That's amazingly useless.
By the way, there's no "generalized version of Twofish" in that paper.
The likelihood is that you are talking nonsense, as usual.
> > And furthermore, it's the same reference you
>
>> provided last time. This isn't even funny.
>
>And my opinion hasn't changed. It is some serious work by some serious
>people, and Mr. Schneier still fails to give any reason why he thinks this
>attack doesn't apply to TwoFish.
Perhaps because it _isn't_ an attack?
>>>> PS. I'm still waiting for a reference to the claim that AES-256 with 16
>>>> rounds is vulnerable to differential cryptanalysis.
>>> I didn't claim it vulnerable; the attack is just a space-time-tradeoff.
>>
>> Quoting <61iqi2F1v5avoU1@mid.dfncis.de>:
>>
>> Par example AES-256 has 14 rounds with no known differential
>> or linear attack, but if you raise it to 16 rounds there's a
>> differential attack with 2^64 chosen plaintexts and 2^192 steps.
>>
>> So you didn't claim it vulnerable?
>
>No. Can't you read?
What??? I'm not a native English speaker, but come on!
>> And it's not a differential attack, it's a space-time-tradeoff.
>
>Yes, due to a differential attack. A cryptographically secure cipher
>shouldn't omit such characteristics.
This is nonsense! Post a reference to the attack.
> The reason why it doesn't matter is
>that 2^64 is still much beyond practical, and will probably stay so for the
>supposed time of usage for AES.
It doesn't matter because, with high probability, it only exists in
your imagination.
> Mr. Schneier may not want to acknowledge them, but I think the
> distinguishing attack with 2^52 chosen plaintexts and 2^70 steps is pretty
> serious.
<laugh!>
Sebastian fancies himself smarter than one of the world's most
recognized authorities on the subject of cryptography and cryptanalysis.
Kristian Gjøsteen wrote:
> PS. I'm still waiting for a reference to the claim that AES-256 with 16
> rounds is vulnerable to differential cryptanalysis.
Sebastian G. wrote:
> I didn't claim it vulnerable; the attack is just a space-time-tradeoff.
Kristian points out that earlier, Sebastian G. wrote:
> Par example AES-256 has 14 rounds with no known differential
> or linear attack, but if you raise it to 16 rounds there's a
> differential attack with 2^64 chosen plaintexts and 2^192 steps.
Kristian Gjøsteen wrote:
> So you didn't claim it vulnerable?
Sebastian G. wrote:
> No. Can't you read?
This feels like some kind of Alice-in-Wonderland conversation.
(Or maybe it's the Princess Bridge: "I do not think that word means
what you think it means.")
If you claim there is a differential attack on a block cipher,
you are claiming that it is vulnerable. That's what the word "attack"
normally means. Seems to me that Kristian Gjøsteen can read just
fine.
Sebastian G. wrote:
> Mr. Schneier may not want to acknowledge them, but I think the
> distinguishing attack with 2^52 chosen plaintexts and 2^70 steps is pretty
> serious.
That's your reference? You posted this mistaken claim to sci.crypt
once before back in November 2005, and it was pointed out to you back
then on this very newsgroup that you seem to have misunderstood that
paper's claims. I'm not sure why you bring this up again when your
claims have been discredited once before.
The Moriai-Yin paper you cite never claims that they have a distinguishing
attack on the full Twofish; that's a product of your imagination.
Take a look at Section 4.1 and Section 4.2. Section 4.2 is titled
"Truncated differentials useful for distinguishing attacks", and the
best they find is something that can be used to attack 4 or 5 rounds of
the 16 rounds of Twofish.
In contrast, Section 4.1 is titled "Truncated differentials with
high probability" and the differentials mentioned in that section
are not claimed to be useful for mounting a distinguishing attack.
For instance, in Section 4.1 Moriai and Yin say that there exists
a truncated differential for the full 16 rounds of the form
(0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,x)
->
(a,0,b,c, d,e,f,g, h,i,j,k, k,m,n,o)
They claim that this truncated differential has probability 2^-57.3.
I think they mean that this characteristic has probability 2^-57.3,
since they presumably only consider one path. But of course a random
pair of plaintexts (matching the input difference) has a probability
of approximately 2^-8 of yielding this same output difference. So this
does _not_ (I repeat, not) yield a distinguishing attack with 2^52 chosen
plaintexts and 2^70 steps, and Moriai-Yin do _not_ claim that it does.
The existence of a truncated differential characteristic of probability
1/n does not necessarily mean that there exists an O(n)-time attack.
In particular, in no place in that paper do Moriai and Yin claim that
they have an attack on the full Twofish.
And what's with this "Mr. Schneier may not want to acknowledge them"
business? There's nothing for him to acknowledge.
On Mon, 18 Feb 2008 13:59:56 +0000, me@privacy.net wrote:
>>me@privacy.net wrote:
>>
>>> Nomen Nescio wrote:
>>>
>>> >A perfect example of why you shouldn't rely on clueless rubes for
>>> >technical information, especially concerning security software..
>>>
>>> It is hard to tell which are the clueless rubes when one is
>>> himself a clueless noob...
>>
>>Sorry about your problems and everything, but why do you think
>>they're important enough to bring up?
>
> Let me see if I get this straight:
>
> If I admit that I am a clueless noob, you criticize me for
> admitting that I am a clueless noob, but other people take
> the time to explain what they are talking about in such a
> way that a clueless noob can understand.
>
> If I try to hide the fact that I am a clueless noob, you
> criticize me for asking the kinds of stupid questions that
> a clueless noob asks, *and* I get a bunch of answers that
> are over my head.
>
> I prefer the first option.
First rule, don't argue with cowards who hide behind "anonymity" and
remailers. Why not box your fucking shadow?
--
An Explanation Of The Need To Be "Anonymous" http://www.penny-arcade.com/comic/2004/03/19
Re: TrueCrypt 5.0a - Non KakaWare 
Linear Mode
