58 entries in 0.957s
: whether explicable by the phobia of 'oh noez some DH
stats sometimes fail' or general-purpose idiocy -- i do not know.
: another advantage of DH
over RSA is that ECDH allows for really short and sweet keys
: KEMs like RSA are more complicated to implement in as few round trips as DH
: zx2c4: carry on, but after that let's come back to DH
: because -- unsurprise, i hope -- if yer FUCKGOATS were replaced with an identical-looking ftmeadegoats en route, it would pass (perhaps even 'prettier') the dh
, ent, etc tests, as the original
<< more importantly, and more subtly, it sells you on the notion that "dh
is a prerequisite for handshakes", which happens to be false. for one thing, you can shake a friend's hand without the usg being involved. for another, gossipd does not use dh
for handshake. in short, the usgtardian nonsense is always there to distract you while it implants simpler points deep into the reptile b ☝︎
: valentinbuza, to exemplify asciilifeform's point ^ I shall quote from the docs: "A Noise protocol begins with two parties exchanging handshake messages. During this handshake phase the parties exchange DH
public keys and perform a sequence of DH
operations" <-- this requires me to import a couple of concepts: handshake messages, DH
public keys, there may be others along the line. now, given that my crypto brain-memory module is not
: valentinbuza, "Noise is a framework for crypto protocols based on Diffie-Hellman key agreement. Noise can describe protocols that consist of a single message as well as interactive protocols." in what's a tradition here, http://btcbase.org/log-search?q=dh
I'll let the more knowledgeable ppl hammer it.
: so this's a 'meta' test of a given dh
-style test ?
: Logged on 2017-07-10 19:50 asciilifeform: mircea_popescu: this'd be an interesting adjunct to the dh
: mircea_popescu: this'd be an interesting adjunct to the dh
tests even. ☟︎
: ( try running dh
on, say, a kByte of anything whatsoever )
: well no, not so simple, dh
is happy to print 'weak' or 'fail' that resulted from... IT WRAPPING THE STRING
: i don't recall but i believe you can define ~all the params for DH
key exchange in ssl, i think
: <+asciilifeform> mod6, mircea_popescu : no word from the dh
d00d, eh << tbh, I haven't even reached out myself yet.
: mod6, mircea_popescu : no word from the dh
: Update: Moving on to FG #2. Will collect just over 1.0 Gb and then do ent/dh
: I'm also running ent/dh
against 1.2Gb of collected fg entropy, but this time I did it with: `dd iflag=fullblock if=/dev/ttyUSB0 of=fg1.fg4.bin`
: third collection of ~1Gb of entropy is complete from my first fg. running ent & dh
: the sad thing is, dh
was mostly used historically to test prng. so the 'waste' was, i picture, not seen as problem.
: it'd be easy to patch around. but i wanted to begin with classical dh
also does a very, imho, questionable thing, of throwing away most of the input (yes) on account of insisting on using new segment of the input for each test
: mod6: my point was, small samples look like shit on dh
, because 1000s of 'rewind'
: now at the rate dh
eats bytes, a fully rewind-free test of, e.g., FG would take...
: I'm going to collect one more 1Gb+ from this 1st FG, run the ent & dh
again, and then move on to the next one. Results should be done in ~24hrs.
: running ent & dh
on the output file. this was produced from the same fg unit that the blog was covering.
: <+asciilifeform> NOW if it happens with all of the units in mod6 's parcel, and ~every~ run -- then problem. << this is key too. i'll perhaps collect another 1Gb+ a few more times from that initial first one and report back on the ent/dh
: i'll be testing the other ones and will report back how the ent/dh
results look on each.
: anyway, just wanted to be /sure/ that I wasn't getting some sort of varient test results from the dh
: I re-ran the dh
on the same fg.bin file (~1.2Gb) and the 'WEAK' tests were exactly the same ones, with exactly the same output values.
: mod6: certain % of the time, test 'weak' and , rarely, 'fail' ( simply means that author of dh
decided that given result falls out of uniform distrib. range.)
: Logged on 2017-01-26 22:42 asciilifeform: 'There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH
are considered just feasible (although very difficult) because...
: 'There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH
are considered just feasible (although very difficult) because... ☟︎
exchange gets temporally split, so to speak
: 4. Long-term answer: don't use RSA. RSA is well on its way to obsolescence. Most problems you'd ever want to solve with RSA are better solved with Curve25519 (for DH
) and Ed25519 (for signing). Not coincidentally, these are the algorithms implemented by Nacl, the only crypto library you should consider using.
: 'A number of IETF standards groups are currently in the process of applying the second-system effect to redesigning their crypto protocols. A major feature of these changes includes the dropping of traditional encryption algorithms and mechanisms like RSA, DH
, ECDH/ECDSA, SHA-2, and AES, for a completely different set of mechanisms, including Curve25519 (designed by Dan Bernstein et al), EdDSA (Bernstein and colleagues), Poly
: 'Perfect Forward Secrecy (PFS) by means of ECDH or DH
Kex ... opmsg builds fine with any of the OpenSSL, LibreSSL and BoringSSL...' << i've read enough.
is best known as an american/eng author, but iirc his native lang is fr. on account of peculiar upbringing. and he knows plenty of others.
: "Remove disabled (weakened export and non-ephemeral DH
) cipher suites from the cipher list. This reduces code size, saves data segment space and prevents them from being turned back on at runtime by flipping a bit in memory."
: if i have to deliver DH
/GPG secret to the client for GAuth
: How can I confirm and test (on the endpoint) the connection to the DH
: bouncy-castle is this lib that is available for use, which works fine with RSA but when it comes to DH
/DSS or DSA/ElGamal no worky.
: most standard web setups use ephemeral DH
: Nick 'Bane_Capital', with hostmask 'Bane_Capitalfirstname.lastname@example.org
.suddenlink.net', is not identified.