log☇︎
58 entries in 0.956s
asciilifeform: whether explicable by the phobia of 'oh noez some DH stats sometimes fail' or general-purpose idiocy -- i do not know.
zx2c4: another advantage of DH over RSA is that ECDH allows for really short and sweet keys
asciilifeform: let's return to DH
zx2c4: KEMs like RSA are more complicated to implement in as few round trips as DH-based protocols
asciilifeform: zx2c4: carry on, but after that let's come back to DH
asciilifeform: because -- unsurprise, i hope -- if yer FUCKGOATS were replaced with an identical-looking ftmeadegoats en route, it would pass (perhaps even 'prettier') the dh, ent, etc tests, as the original
mircea_popescu: http://btcbase.org/log/2017-08-22#1701966 << more importantly, and more subtly, it sells you on the notion that "dh is a prerequisite for handshakes", which happens to be false. for one thing, you can shake a friend's hand without the usg being involved. for another, gossipd does not use dh for handshake. in short, the usgtardian nonsense is always there to distract you while it implants simpler points deep into the reptile b ☝︎
spyked: valentinbuza, to exemplify asciilifeform's point ^ I shall quote from the docs: "A Noise protocol begins with two parties exchanging handshake messages. During this handshake phase the parties exchange DH public keys and perform a sequence of DH operations" <-- this requires me to import a couple of concepts: handshake messages, DH public keys, there may be others along the line. now, given that my crypto brain-memory module is not
asciilifeform: dh in the logz is... 'dieharder'
spyked: valentinbuza, "Noise is a framework for crypto protocols based on Diffie-Hellman key agreement. Noise can describe protocols that consist of a single message as well as interactive protocols." in what's a tradition here, http://btcbase.org/log-search?q=dh I'll let the more knowledgeable ppl hammer it.
asciilifeform: so this's a 'meta' test of a given dh-style test ?
a111: Logged on 2017-07-10 19:50 asciilifeform: mircea_popescu: this'd be an interesting adjunct to the dh tests even.
asciilifeform: recall the dh thread
asciilifeform: mircea_popescu: this'd be an interesting adjunct to the dh tests even. ☟︎
asciilifeform: ( try running dh on, say, a kByte of anything whatsoever )
asciilifeform: well no, not so simple, dh is happy to print 'weak' or 'fail' that resulted from... IT WRAPPING THE STRING
Framedragger: i don't recall but i believe you can define ~all the params for DH key exchange in ssl, i think
mod6: <+asciilifeform> mod6, mircea_popescu : no word from the dh d00d, eh << tbh, I haven't even reached out myself yet.
asciilifeform: mod6, mircea_popescu : no word from the dh d00d, eh
mod6: Update: Moving on to FG #2. Will collect just over 1.0 Gb and then do ent/dh tests.
mod6: I'm also running ent/dh against 1.2Gb of collected fg entropy, but this time I did it with: `dd iflag=fullblock if=/dev/ttyUSB0 of=fg1.fg4.bin`
asciilifeform: speaking of which, any answer from dh author ?
mod6: Alright asciilifeform, mircea_popescu, et. al. Here's the 3rd run of the dh & ent against the third collection of ~1.1Gb of entropy. http://www.mod6.net/fg/fg-test/fg1.dieharder_run3.txt http://www.mod6.net/fg/fg-test/fg1.ent_run3.txt
mod6: third collection of ~1Gb of entropy is complete from my first fg. running ent & dh now...
asciilifeform: the sad thing is, dh was mostly used historically to test prng. so the 'waste' was, i picture, not seen as problem.
asciilifeform: it'd be easy to patch around. but i wanted to begin with classical dh.
asciilifeform: dh also does a very, imho, questionable thing, of throwing away most of the input (yes) on account of insisting on using new segment of the input for each test
asciilifeform: mod6: my point was, small samples look like shit on dh, because 1000s of 'rewind'
asciilifeform: now at the rate dh eats bytes, a fully rewind-free test of, e.g., FG would take...
mod6: I'm going to collect one more 1Gb+ from this 1st FG, run the ent & dh again, and then move on to the next one. Results should be done in ~24hrs.
mod6: running ent & dh on the output file. this was produced from the same fg unit that the blog was covering.
mod6: <+asciilifeform> NOW if it happens with all of the units in mod6 's parcel, and ~every~ run -- then problem. << this is key too. i'll perhaps collect another 1Gb+ a few more times from that initial first one and report back on the ent/dh results too.
mod6: i'll be testing the other ones and will report back how the ent/dh results look on each.
mod6: anyway, just wanted to be /sure/ that I wasn't getting some sort of varient test results from the dh.
asciilifeform: dh is deterministic
mod6: I re-ran the dh on the same fg.bin file (~1.2Gb) and the 'WEAK' tests were exactly the same ones, with exactly the same output values.
asciilifeform: mod6: certain % of the time, test 'weak' and , rarely, 'fail' ( simply means that author of dh decided that given result falls out of uniform distrib. range.)
a111: Logged on 2017-01-26 22:42 asciilifeform: 'There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because...
asciilifeform: 'There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because... ☟︎
Framedragger: DH exchange gets temporally split, so to speak
asciilifeform: same as dh, elgamal, cramershoup.
mircea_popescu: 4. Long-term answer: don't use RSA. RSA is well on its way to obsolescence. Most problems you'd ever want to solve with RSA are better solved with Curve25519 (for DH) and Ed25519 (for signing). Not coincidentally, these are the algorithms implemented by Nacl, the only crypto library you should consider using.
asciilifeform: 'A number of IETF standards groups are currently in the process of applying the second-system effect to redesigning their crypto protocols. A major feature of these changes includes the dropping of traditional encryption algorithms and mechanisms like RSA, DH, ECDH/ECDSA, SHA-2, and AES, for a completely different set of mechanisms, including Curve25519 (designed by Dan Bernstein et al), EdDSA (Bernstein and colleagues), Poly
ascii_butugychag: mats: dh
ascii_butugychag: (wtf is anyone still using dh ??)
ascii_butugychag: 'Perfect Forward Secrecy (PFS) by means of ECDH or DH Kex ... opmsg builds fine with any of the OpenSSL, LibreSSL and BoringSSL...' << i've read enough.
ascii_field: mircea_popescu: we don't use dh!
ascii_field: http://log.bitcoin-assets.com/?date=15-10-2015#1299466 << dh is an atavistic barbarism ☝︎
asciilifeform: how about dhat ? ( http://valgrind.org/docs/manual/dh-manual.html )
asciilifeform: dh is best known as an american/eng author, but iirc his native lang is fr. on account of peculiar upbringing. and he knows plenty of others.
BingoBoingo: "Remove disabled (weakened export and non-ephemeral DH) cipher suites from the cipher list. This reduces code size, saves data segment space and prevents them from being turned back on at runtime by flipping a bit in memory."
Naphex: if i have to deliver DH/GPG secret to the client for GAuth
herbijudlestoids: each message has its own discarded AES key negotiated by DH
mikaeldice: How can I confirm and test (on the endpoint) the connection to the DH?
mod6: bouncy-castle is this lib that is available for use, which works fine with RSA but when it comes to DH/DSS or DSA/ElGamal no worky.
nubbins`: DH does a lot of fun splits
Scrat: most standard web setups use ephemeral DH keys nowadays
gribble: Nick 'Bane_Capital', with hostmask 'Bane_Capital!~clown@r74-192-154-88.gtwncmta01.grtntx.tl.dh.suddenlink.net', is not identified.