Cryptography as a component of security
I listened to yet another talk on computer security, which incorporated security. It got me to thinking two things: o Pseudo-random implies pseudo security. If you're re-keying by running the old key through a pseudo-random function without adding any new entropy, then you're not re-keying at all. o Security is not an absolute value. It only makes sense as a relative value. You cannot say that a system is secure. You can only say that it is secure against a certain threat. It's quite reasonable to say that GPG using a 2048-bit key is secure against all known attacks today. You've defined the threat (all known attacks today) and the type of cryptography. Any kind of claim of security, without defining what the expected attacks the system will withstand, are *inherently* snake oil. Let me say this again in the strongest possible terms: even if you are using industry-standard cryptography (e.g. RSA, Triple-DES, AES, etc), and yet you do not define your threat, then any claims that your system is secure are claims about snake oil. Maybe I'm preaching to the converted, but apparently you can get a PhD and apply for funding without understanding these issues. -- --My blog is at angry-economist.russnelson.com | Can I recommend python? Crynwr sells support for free software | PGPok | Just a thought. 521 Pleasant Valley Rd. | +1 315 268 1925 voice | -Dr. Jamey Hicks Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Legra's Crypto Coming Out
--- begin forwarded text Status: U Date: Mon, 3 Nov 2003 18:55:15 -0500 To: Philodox Clips [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: Legra's Crypto Coming Out Reply-To: Philodox Clips [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] http://www.unstrung.com/document.asp?doc_id=42917 Unstrung - The world wide source for analysis of the global wireless economy OCTOBER, 2003 ? Legra's Crypto Coming Out 11.03.03 Wireless LAN switch hopeful Legra Systems Inc. today announced that its products are now generally available, and it also gave more clues about the security aspects of its products. The firm is claiming that its hardware is the only box to handle cryptography at the switch-level with dedicated processors. Our approach is different from everyone else's, says Paul DeBeasi, VP of product management and marketing. We developed our own [cryptography] chip from scratch. DeBeasi says that Legra decided to take this approach because, with new security implementations like WPA (WiFi Protected Access), the cryptography [performance] becomes the new bottleneck. DeBeasi says that because of the additional silicon the Legra system can support up to 60 802.11b (11 Mbit/s over 2.4 GHz) access points or 12 a or g nodes (54 Mbit/s over 5 GHz and 2.4 GHz respectively) running at full speed with cryptography on. In the main, the details of Legra's product offering haven't changed since the company first spoke to Unstrung back in April (see Legra: The Perfect Prescription?). Like many other startups, the Burlington, Mass., firm is taking a distributed approach to wireless LAN networking with a switch that sits in the wiring closet or data center and can manage and secure Legra's stripped-down access points (see Legra: The Perfect Prescription?). Originally, Legra talked up the remote connection capabilities of its switch, emphasizing the fact that its access points and switch didn't need to be directly connected in order to communicate. But since April, rivals Airespace Inc. and Aruba Wireless Networks have both added similar capabilities to their offerings (seeAirespace Adds an Appliance and Aruba's Mini-Switch). - Dan Jones, Senior Editor, Unstrung -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Clipper for luggage
From the New York Times. Any guesses on how long it'll take before your local hacker will have a key which will open any piece of your luggage? - Tim A Baggage Lock for You and the Federal Screeners By JOE SHARKEY Published: November 11, 2003 AIRLINE passengers will be able to lock checked bags confidently again starting tomorrow, thanks to a new customer-service initiative between private enterprise and the Transportation Security Administration. Here's how the plan will work: Several major luggage and lock retailers in the United States will announce tomorrow the availability of new locks, made by various manufacturers, that T.S.A. inspectors will be able to readily identify and open on checked bags selected for hand searches at airports. T.S.A. screeners in airports around the country have already been trained in using secure procedures to open the new certified locks when necessary, and relock them after inspecting bags. Literally since we began the process of screening every checked bag for explosives in December, one of the challenges has been the ability to get into bags without doing damage to them, said Brian Turmail, a spokesman for the T.S.A. The system, developed in cooperation with the T.S.A. and the Travel Goods Association, a trade group, was designed around a common set of standards that any company that manufactures, or is interested in manufacturing, luggage or luggage locks could follow that would allow T.S.A. screeners to open the bag without doing damage to the bag, in a manner that would allow the bag to stay secured afterwards,'' Mr. Turmail said. In other words, we can open it, but no one else can. The locks will be available in various manufacturers' designs. All will be geared around a uniform technology allowing them to be opened by T.S.A. inspectors using a combination of secure codes and special tools, according to John W. Vermilye, a former airline baggage-systems executive who developed the system through Travel Sentry, a company he set up for that purpose. All the locks will carry a red diamond-shaped logo to certify to screeners that they meet the Travel Sentry standards. Mr. Vermilye said his company would receive royalties from manufacturers. The system will ensure that passengers using the locks will not have to worry about a lock being broken or a locked bag being damaged if it is selected for hand inspection. It will also mean more peace of mind for passengers worried about reports of increased pilferage from unlocked bags. The general feeling of airline passengers is, 'I don't like to have to keep my bags unlocked,' added Mr. Vermilye, who once worked as a baggage handler. As somebody in the business for 30 years, I don't like it either, because I know what goes on in some baggage-handling areas, he said. An industry study showed that 90 percent of air travelers are now leaving checked bags unlocked, whereas before this year about 66 percent of them said they always locked their bags. I travel all the time, and I always used to lock my bags until this year, said Michael F. Anthony, the chairman and chief executive of Brookstone, a specialty retailer with 266 shops, including 30 in airports. Besides the worry about theft within the airline baggage-handling systems, Mr. Anthony said he was concerned on business trips about unlocked bags in the hands of cab and airport shuttle drivers, bellhops and others. Brookstone airport shops are planning to introduce the chain's own brand of new locks with in-store promotions tomorrow, Mr. Anthony said. A package of two four-digit Brookstone combination locks costs $20. Luggage and other accessories with the lock standards incorporated also will begin moving soon onto shelves at Brookstone and other retailers. Mr. Anthony said that the locks represented a needed air-travel customer-service breakthrough, helping people reclaim a sense of security they had in the past with their checked possessions. The T.S.A. mandated screening of all checked bags starting last Dec. 31. Since then, most of the estimated 1.5 million bags checked daily in domestic airports have been inspected by bomb-detecting machinery - but about 10 percent of checked bags are opened and inspected by hand. Initially, the T.S.A. planned to issue a blanket prohibition against locking bags, but the agency ultimately decided instead to merely suggest that passengers not lock them. The T.S.A. public directive on the subject says: In some cases screeners will have to open your baggage as part of the screening process. If your bag is unlocked, then T.S.A. will simply open the bag and screen the bag. However, if the bag is locked and T.S.A. needs to open your bag, then locks may have to be broken. You may keep your bag locked if you choose, but T.S.A. is not liable for damage caused to locked bags that must be opened.'' With bags unlocked, many travelers, including business travelers who pack
CodeCon Call for Papers
CodeCon 3.0 February 20-22, 2004 San Francisco CA, USA www.codecon.org Call For Papers CodeCon is the premier showcase of active hacker projects. It is an excellent opportunity for developers to demonstrate their work and keep abreast of what's going on in their communities. All presentations must include working demonstrations, ideally open source. Presenters must be one of the active developers of the code in question. We emphasize that demonstrations be of *working* code. CodeCon strongly encourages presenters from non-commercial and academic backgrounds to attend for the purposes of collaboration and the sharing of knowledge by providing free registration to workshop presenters and discounted registration to full-time students. We hereby solicit papers and demonstrations. Papers and proposals due: December 15, 2003 Authors notified: January 1, 2004 Possible topics include, but are by no means restricted to: community-based web sites - forums, weblogs, personals development tools - languages, debuggers, version control file sharing systems - swarming distribution, distributed search security products - mail encryption, intrusion detection, firewalls Presentations will be a 45 minutes long, with 15 minutes allocated for QA. Overruns will be truncated. Submission details: Submissions are being accepted immediately. Acceptance dates are November 15 and December 15. After the first acceptance date, submissions will be either accepted, rejected, or deferred to the second acceptance date. The conference language is English. Ideally, demonstrations should be usable by attendees with 802.11b connected devices either via a web interface, or locally on Windows, UNIX-like, or MacOS platforms. Cross-platform applications are most desirable. Our venue will be 21+. If you have a specific day on which you would prefer to present, please advise us. To submit, send mail to [EMAIL PROTECTED] including the following information: Project name url of project home page tagline - one sentence or less summing up what the project does names of presenter(s) and urls of their home pages, if they have any one-paragraph bios of presenters (optional) project history, no more than a few sentences what will be done in the project demo major achievement(s) so far claim(s) to fame, if any future plans Program Chair: Bram Cohen General Chair: Len Sassaman Program Committee: Jeremy Bornstein, Perpetual Entertainment Bram Cohen, Valve Jered Floyd, Permabit Len Sassaman, Anonymizer Jonathan Moore Brandon Wiley, Foundation for Decentralization Research Sponsorship: If your organization is interested in sponsoring CodeCon, we would love to hear from you. In particular, we are looking for sponsors for social meals and parties on any of the three days of the conference, as well as sponsors of the conference as a whole, prizes or awards for quality presentations, scholarships for qualified applicants, and assistance with transportation or accommodation for presenters with limited resources. If you might be interested in sponsoring any of these aspects, please contact the conference organizers at [EMAIL PROTECTED] Press policy: CodeCon strives to be a conference for developers, with strong audience participation. As such, we need to limit the number of complimentary passes for non-developer attendees. Press passes are limited to one pass per publication, and must be approved prior to the registration deadline (to be announced later). If you are a member of the press, and interested in covering CodeCon, please contact us early by sending email to [EMAIL PROTECTED] Members of the press who do not receive press-passes are welcome to participate as regular conference attendees. Questions: If you have questions about CodeCon, or would like to contact the organizers, please mail [EMAIL PROTECTED] Please note this address is only for questions and administrative requests, and not for workshop presentation submissions. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Certicom Earns FIPS 140-2 Validation on Palm OS
--- begin forwarded text Status: U Date: Wed, 12 Nov 2003 08:24:28 -0500 To: Philodox Clips [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: Certicom Earns FIPS 140-2 Validation on Palm OS Reply-To: Philodox Clips [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=SVBIZINK3.storySTORY=/www/story/11-12-2003/0002056385EDATE=WED+Nov+12+2003,+07:03+AM Nov. 12, 2003 Silicon Valley Biz Ink :: The voice of the valley economy Certicom Earns FIPS 140-2 Validation on Palm OS back Security Builder GSE enables developers to quickly add a FIPS 140-2 validated cryptographic module to their government solutions MISSISSAUGA, ON, Nov. 12 /PRNewswire-FirstCall/ - Certicom Corp. (TSX: CIC), a leading provider of wireless security solutions, today announced that Security Builder(R) GSE(TM), Certicom's core developer toolkit for government, has earned the Federal Information Processing Standards (FIPS) 140-2 certification for the Palm OS 4.1 platform (certificate No. 351). This makes Security Builder GSE the first developer toolkit to provide a FIPS 140-2 validated module for multiple handheld operating systems. In June, Certicom announced FIPS 140-2 validation on Microsoft Windows and Microsoft Windows CE operating systems. By supporting multiple platforms, Security Builder GSE allows system integrators and original equipment manufacturers to use a common API to quickly and easily embed FIPS validated security into their devices and applications. Security Builder GSE is the core cryptographic module for all Certicom security applications which means movianVPN(TM) GSE for Palm and movianCrypt(TM) GSE for Palm also meet government security requirements. These products are particularly important to government agencies that need to securely extend their networks to wireless handhelds but are required to use only FIPS 140-2 validated applications. FIPS is considered a benchmark for security within U.S. and Canadian government departments and agencies and is becoming a de facto standard internationally. Products must undergo rigorous testing by an accredited independent lab to satisfy the governments' standards. FIPS 140-2 is awarded through the National Institute of Standards and Testing (NIST) and the Canadian Communication Security Establishment (CSE). We're extremely pleased Certicom has received FIPS 140-2 validation on the Palm platform. This will now make it easier for government workers to better integrate their Palm-powered handhelds into their secure networks, said John Inkley, director of federal sales for palmOne. Mobile workers want more than just secure access to email. They want access to corporate information and applications too. This validation provides not one, but many alternative solutions for everything from secure push e-mail to backend database access and updates. Now users can do it with the confidence that their security meets the government's most stringent guidelines. Since 1997, Certicom and Palm have worked together to enable mobile workers to protect sensitive information with a high level of security, without compromising the speed and flexibility of wireless devices. Certicom makes it easy for agencies to adhere to the strict security guidelines mandated by the government while still using the platform of their choice, said Tony Rosati, Certicom's vice-president, marketing and product management. This certification extends our relationship with Palm and underscores our commitment to provide strong security solutions for multiple platforms without impacting performance. Along with standard cryptography algorithms such as DES, 3DES, AES, SHA-1 and the RSA public key algorithm, Security Builder GSE also includes Elliptic Curve Cryptography (ECC), a public-key cryptography technique approved by the U.S. government and many standards organizations including ANSI, IETF, IEEE and NIST. Last month, the National Security Agency purchased licensing rights to some of Certicom's ECC intellectual property to protect mission critical national security information. Security Builder GSE is available immediately and is priced with a license fee and royalties based on the number of devices. For more information, visit http://www.certicom/gov. About Certicom Certicom is a leading provider of wireless security solutions, enabling developers, governments and enterprises to add strong security to their devices, networks and applications. Designed for constrained devices, Certicom's patented technologies are unsurpassed in delivering the strongest cryptography with the smallest impact on performance and usability. Certicom products are currently licensed to more than 300 customers including Texas Instruments, Palm, Research In Motion, Cisco Systems, Oracle and Motorola. Founded in 1985, Certicom is headquartered in Mississauga, ON, Canada, with offices
RE: Protection against offline dictionary attack on static files
Check PKCS #5: http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html
Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Arcane Jill
Sent: Thursday, October 23, 2003 3:21 AM
To: [EMAIL PROTECTED]
Subject: Protection against offline dictionary attack on static files
Hi,
It's possible I may be reinventing the wheel here, so my apologies if
that's so, but it occurs to me that there's a defence against an offline
dictionary attack on an encrypted file. Here's what I mean: Say you have
a file, and you want to keep it secret. What do you do? Obviously you
either encrypt it directly, or you store it in an encrytped volume
(thereby encrypting it indirectly). Problem? Maybe an attacker can
somehow get hold of the encrypted file or volume ... maybe your laptop
gets stolen maybe other people have access to your machine. In
principle, you're protected by your passphrase, but if an attacker can
get hold of the file, they can try an offline dictionary attack to guess
your passphrase, so unless you're very good at inventing high entropy
passphrases /and remembering them without writing them down/, there may
still be a risk.
Here's the defence:
To encrypt a file:
Generate a random number R between 0 and M-1 (for some fixed M, a
power of 256)
Type in your passphrase P
Let S = R || P (where || stands for concatenation)
Let K = hash(S)
K is now your encryption key. R is to be thrown away.
To decrypt the same file:
Generate a random number r between 0 and M-1
Type in your passphrase P
for (int i=r; ; i=(i+1)%M)
{
Let S = I || P
Let K = hash(S)
Try to decrypt using key K
}
This places a computational burden on your PC at decrypt-time. The
larger you choose M, the more CPU time it will take to figure out K. So,
you choose M such that it takes your PC about one second to find K, then
your attacker will experience the same burden - but multiplied a
squillionfold (a squillion being the entropy of your passphrase). This
means that even if your passphrase consists of just two words from a
dictionary, /and/ your attacker suspects this, it will still take him or
her over a hundred and fifty years to decrypt (assuming your attacker
has a PC of equivalent power). Even if your attacker has a faster PC
than you, it will still be relatively easy to pick a
strong-yet-memorable passphrase, since better tech can only ease the
attacker's problem, not remove it. All of a sudden, weak passphrases
turn into strong ones, and strong passphrases turn into computationally
infeasible ones.
Is this useful?
Has anyone come up with it before? (Someone must have ... but I don't
recall seeing the technique used in applications)
Jill
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Cryptography as a component of security
| I listened to yet another talk on computer security, which
| incorporated security. It got me to thinking two things:
|
| o Pseudo-random implies pseudo security.
|
| If you're re-keying by running the old key through a pseudo-random
| function without adding any new entropy, then you're not re-keying at
| all.
That's not true. Consider a stream cipher: It stretches your original key
into a much longer stream. By your argument, as soon as there is sufficient
generated stream to uniquely determine the key, no additional entropy is being
introduced, so all the rest is pseudo-security! But in fact the unicity point
must be reached very quickly, or the generated stream would be too *indepen-
dent* of the key, and an attacker could guess most of the stream without even
knowing the key.
Or consider the following construct: Suppose we have two encryption functions
E1 and E2, E1 is very fast, but breakable - there is an attack of concern to
us that becomes viable after an attacker has seen (or been able to partially
specify, if you want to think about chosen plaintext attacks) N plaintext/
ciphertext pairs. E2 is slow, but we consider it to be secure against the
attacks of concern. To encrypt the stream of plaintext P_i to ciphertext C_i,
do:
K - Master key
Choose n N
for i = 0, 1, ...
// Begin new segment
SK_i - E2(K,i)
for j = 0 .. n-1
C_{n*i + j} = E1(SK_i,P_{n*i + j})
Even if an attacker breaks into a number of segments and gets those S_i's
(which, BTW, is an assumption about the form of the attack: Some attacks
reveal the plaintext without revealing the key), what he's left with is a set
of plaintext/ciphertext pairs with which he now has to attack E2 - which is
assumed to be difficult. (Even worse for the attacker, even if he could mount
a chosen ciphertext attack against E1, he has no control over the plaintexts
fed into E2.)
Note that we assumed E2 was actually very strong. But even if we assume E2
has the same effective strength as E1 - it can be broken after seeing N
plaintext/ciphertext pairs - then the security guarantees (such as they are;
one would have to be more precise about the nature of attackable after N
pairs are seen vulnerability) are pretty much the same until about N^2
plaintext/ciphertext pairs have been sent.
-- Jerry
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
information security jobs @ google
[Moderator's note: I don't always take these, but this one seemed tasteful. --Perry] Hello all. We're looking to hire more security folks of the security analyst variety. This nebulously-titled job entails tasks such as design reviews, giving input on system and network architecture, reviewing code, and poking at live systems. Full job description is here: http://www.google.com/jobs/eng/sec_ops.html#info_security The requirements listed aren't set in stone, but the responsibilities laid out in the description are pretty accurate. Drop me an email if you want more information, or send me a resume if you're interested. Thanks. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Protection against offline dictionary attack on static files
Yes this is a good idea, and some people thought of it before also.
Look for paper secure applications of low entropy keys or something
like that by Schnieir, Wagner et al. (on counterpane labs page I
think).
Also the PBKDF2 function defined in PKCS#5 used to convert the
password into a key for unwrapping PKCS#12 uses the same idea. The
general approach is called key-stretching.
The approach usually involves some form of iterative hashing so
similar to what you proposed.
Adam
On Thu, Oct 23, 2003 at 08:20:35AM +0100, Arcane Jill wrote:
Hi,
It's possible I may be reinventing the wheel here, so my apologies if
that's so, but it occurs to me that there's a defence against an offline
dictionary attack on an encrypted file. Here's what I mean: Say you have
a file, and you want to keep it secret. What do you do? Obviously you
either encrypt it directly, or you store it in an encrytped volume
(thereby encrypting it indirectly). Problem? Maybe an attacker can
somehow get hold of the encrypted file or volume ... maybe your laptop
gets stolen maybe other people have access to your machine. In
principle, you're protected by your passphrase, but if an attacker can
get hold of the file, they can try an offline dictionary attack to guess
your passphrase, so unless you're very good at inventing high entropy
passphrases /and remembering them without writing them down/, there may
still be a risk.
Here's the defence:
To encrypt a file:
Generate a random number R between 0 and M-1 (for some fixed M, a
power of 256)
Type in your passphrase P
Let S = R || P (where || stands for concatenation)
Let K = hash(S)
K is now your encryption key. R is to be thrown away.
To decrypt the same file:
Generate a random number r between 0 and M-1
Type in your passphrase P
for (int i=r; ; i=(i+1)%M)
{
Let S = I || P
Let K = hash(S)
Try to decrypt using key K
}
This places a computational burden on your PC at decrypt-time. The
larger you choose M, the more CPU time it will take to figure out K. So,
you choose M such that it takes your PC about one second to find K, then
your attacker will experience the same burden - but multiplied a
squillionfold (a squillion being the entropy of your passphrase). This
means that even if your passphrase consists of just two words from a
dictionary, /and/ your attacker suspects this, it will still take him or
her over a hundred and fifty years to decrypt (assuming your attacker
has a PC of equivalent power). Even if your attacker has a faster PC
than you, it will still be relatively easy to pick a
strong-yet-memorable passphrase, since better tech can only ease the
attacker's problem, not remove it. All of a sudden, weak passphrases
turn into strong ones, and strong passphrases turn into computationally
infeasible ones.
Is this useful?
Has anyone come up with it before? (Someone must have ... but I don't
recall seeing the technique used in applications)
Jill
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Protection against offline dictionary attack on static files
On Thu, Oct 23, 2003 at 08:20:35AM +0100, Arcane Jill wrote: Hi, It's possible I may be reinventing the wheel here, Not really. You've just come down with a bad case of the PBEs. ;-) Take a look at PKCS #5 (here's a link to version 1.5: ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-5.asc). Essentially, it's the scheme you just described, with provisions for generating more bits of keying material if the encryption algorithm requires more bits than the hash algorithm provides. (For instance, imagine AES with a 256 bit key, but suppose the hash algorithm is SHA-1, which only produces 160 bits of output.) - Ken - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
