search for: schneier

...gt;> >> Is this an improvement (or more secure) despite going from 256bits to >> 128bits? > > yes it is because AES-GCM is currently the best cipher suite while there > is no point for AES256, if AES128 will fall then it likely affects > AES256 too and according to Brcue Schneier years ago AES128 has even > less problems then AES256 (too lazy for google it again) > Well, I am working in the crypto field and was a bit astonished about this "rant" - so a quick search brought up https://www.schneier.com/blog/archives/2009/07/another_new_aes.html - for those wh...

I've been reading on Bruce Schneier's blog about key diffusion and the key schedule in AES 256 being poor. Including this, for use in a geli encrypted provider, what are the pros and cons of selecting AES 128, 192, or 256?

...advance for your assistance. Sincerely, Jason Q. McClintic - -- Jason Q McClintic UST MB 1945 2115 Summit Avenue St. Paul, MN 55105 jqmcclintic at stthomas.edu mccl0219 at tc.umn.edu "It is insufficient to protect ourselves with laws, we must protect ourselves with mathematics."--Bruce Schneier -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBSBfN5hMtGNvij6jtAQgx3gf7Bxmht6ODCjsvhuFPkW1QWC1ey/ygVW9m uuwNZVCz2hBNDSV2NktaOHe+hl3sEj4gmxv0Q6onf4Opg59o9OQ1EtaeY13S/ouk EIO2fERY7VQcFbqjr1SnhlXGfyjX5bLk0ipFlqd11...

According to https://cipherli.st/ > ssl = yes > ssl_cert = </etc/dovecot.cert > ssl_key = </etc/dovecot.key > ssl_protocols = !SSLv2 !SSLv3 > ssl_cipher_list = AES128+EECDH:AES128+EDH > ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6 > Is what you want. Ok, so I have changed my ssl_cipher_list to: ssl_cipher_list = AES128+EECDH:AES128+EDH Before I made this change

Hello all, I've a cluster with an oracle database. The shared filesystem is provided from a SAN and there's LVM and ext3 fs. I've experienced some problem. During a normal switch of my cluster remounting FS on second node gave me problem. FS is corrupted. During a normal switch, operations done are: - oracle shutdown abort - oracle listernet shutdown - umount fs (using umount -l )

...i All, This is a general VPN question; PPTP VPNs seem to be very easy to set up with CentOS as the VPN server and the built-in windose client, but how do list members feel about the security vunerabilities reported with the MS implementation? Specifically the 6 problems reported here : http://www.schneier.com/pptp-faq.html or maybe im being paranoid? Would any of you roll this solution out using the MS client for business use? I generally dont trust anything MS does, especially when security is concerned I feel i should be leaning towards an IPSec VPN, would anyone agree? (exchanging keys is no...

Hi, I'm not a crypto expert, so after reading this interview with Bruce Schneier ( http://www.securityfocus.com/columnists/324 ) I'm wondering if OpenSSH has the same problem he talks about, that is one public-key algorithm. Doesn't OpenSSH use RSA, DSA, and DH ? Also, is there any plan to include those new NSA standards based on ECC ?

When my client connects, I see this in my log: dovecot: imap-login: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) Whereas, when client connects to my postfix server, I see: Anonymous TLS connection established from * TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) how can I tell dovecot to use AES256, instead of AES128 ? is this set by ssl_cipher_list ? Here are my current

Hi, From v3.0.0 onwards the hash function implemented by Rsync was changed from MD4 to MD5 (http://rsync.samba.org/ftp/rsync/src/rsync-3.0.0-NEWS). My understanding is that MD5 is a more secure, slower version of MD4 but I am not convinced that the added security of MD5 would alone have merited the change from MD4 (particularly since MD4 is ~30% faster than MD5). I wonder if I am missing other

...tation. Is anyone using this feature right now? Is there a helpful source for information this highly desired capability? Regards, -- Anthony Kava Senior Network Administrator Pottawattamie County, Iowa "Sheep are slow and tasty, and therefore must remain constantly alert." -- Bruce Schneier, "Beyond Fear" -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3660 bytes Desc: not available Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20061218/e99708e6/smime.bin

...crypted using SSL 2.0, which reportedly suffers fromseveral cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base...

....liu.se, aes128-ctr, aes192-ctr, aes256-ctr Strong Encryption OpenSSH supports 3DES, Blowfish, AES and arcfour as encryption algorithms. These are patent free. Triple DES is a time proven and well understood cipher that provides strong encryption. Blowfish is a fast block cipher invented by Bruce Schneier that can be used by people that require faster encryption. AES <http://www.nist.gov/aes> is the US Federal Information Processing Standard (FIPS) Advanced Encryption Standard developed as a replacement for DES. It is a fast block cipher. Arcfour is a fast stream cipher. It is believed to be c...

When searching in google I could verify that many examples of used rules in shorewall do not exist to block port scanners external. Example: nmap. Somebody has some rule or example ? thanks.

...it. Thanks for any/all help. Sincerely, Jason Q. McClintic -- Jason Q McClintic UST MB 1945 2115 Summit Avenue St. Paul, MN 55105 jqmcclintic at stthomas.edu mccl0219 at tc.umn.edu "It is insufficient to protect ourselves with laws, we must protect ourselves with mathematics."--Bruce Schneier

Hi, I could not find this anywhere else reported, so here we go: creating a new btrfs filesystem (btrfs-progs-unstable from git) and mounting it succeeds, unmounting however fails with the kernel messages attached to this mail. After that, I can still read and write to the btrfs mount, but e.g. /bin/sync never finishes, sysrq-s never reports "Sync complete". I''m using a

Dear FreeBsd gurus, I have a problem concerning users password and authentication policies. The goal is 1)make freebsd to lock users after 3 unsuccessful login attempts, 2)force users to change their passwords every 90 days I've done such changes in Linux distros, with various PAM modules.But in Freebsd it seems that i need to use login.conf file. Here I made necessary changes in that

...gzilla.mindrot.org/show_bug.cgi?id=2154 P.S. I think it's wonderful you folks are working on curve25519, ed25519, and chacha20+poly1305. I've moved a bunch of systems to ECDHE last year, great speedup, especially from crap Atom clients, but feel that I've shot myself in the foot after Schneier's denouncement of the NIST curves. -- Gerald Turner Email: gturner at unzane.com JID: gturner at unzane.com GPG: 0xFA8CD6D5 21D9 B2E8 7FE7 F19E 5F7D 4D0C 3FA0 810F FA8C D6D5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: applicati...

...same value. With the MD5 vunerability one has to specially engineer it. IMO it is extremely unlikely that it would happen by chance when used by rsync. If anyone worries about this then maybe rsync would move to SHA-1 at some point. And then what if someone finds a problem with SHA-1? Indeed, Bruce Schneier has an article on this at http://www.schneier.com/blog/archives/2005/02/sha1_broken.html. Again, I reckon that the SHA-1 vunerability would have no practical effect if SHA-1 was used in rsync. Just my $0.02.</font> <br> <br><font size=2 face="sans-serif">rsync uses...

Is anyone else concerned about the fact that rsync doesn't guarantee to produce identical file copies on the the target machine? Don't get me wrong in sounding critical because I think that rsync is a great example of how software should be written. (I often make the observation, as I learn more about Linux, and inevitably find myself comparing open source applications to Microsoft

...s system of security is better than one using a standardized and public algorithm which attracts a lot cryptanalytic work and may be broken in the near future or may have already been broken in secret. b) Intrinsically secret ciphers. Extend secrecy to parts of the encryption method. In his book, Schneier very briefly describes a variant of DES where the Sboxes (which most people would consider as part of the algorithm) are variable and depend on the key. Another very interesting possibility would have the key express the encryption method. In other words consider the key as the program, and the cip...