Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)
On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote: [...] One member of this mailing list, in a private exchange, noted that he had asked his bank for their certificate's fingerprint. My response was that I was astonished he found someone who knew what he was talking about. [...] I wrote on this list, in June 2003, the last time we had this conversation (regarding a similar plugin called SSLBar): Maybe this is a stupid question, but exactly how are you supposed to use this information to verify a cert? I've done an informal survey of a few financial institutions whose sites use SSL, and the number of them that were able to provide me with a fingerprint over the phone was exactly zero. Which bank was that person you mention talking to? -- - Adam - ** My new project -- http://www.visiognomy.com/daily ** Flagship blog -- http://www.aquick.org/blog Hire me: [ http://www.adamfields.com/Adam_Fields_Resume.htm ] Links: [ http://del.icio.us/fields ] Photos: [ http://www.aquick.org/photoblog ] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
more skype -- how are super nodes chosen/is diversity used
Anyone else actually know about these things? On 2/10/05 7:48 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: david, thanks for your helpful analysis. one thing i haven't been able to find is a description of how supernodes are selected for a particular call. (i'd assume they'd attempt to select among those with best latency and adequate bandwidth to the communicating participants, if that could be determined -- trickier when you then add in a third participant.) do you (or does anyone) know, or willing to express an informed opinion: if i have enough bandwidth and compute power to be a supernode myself (or direct tcp connectivity to my peer) is it true that no other supernodes are involved in the key exchange or media traffic aspects of my call? (maybe in the search...) if i'm a puny-luser node (opposite of a supernode), is a single supernode used to accomplish both key exchange and media traffic for a specific call or all of my calls? does the client select the supernode, or is it selected for them? is there any attempt at diversity (either by splitting one from the other or splitting media traffic up among supernodes). yes, i understand by having enough bad-seed supernodes a bad guy may be able to assemble a call's parts despite diversity. but there are 1M skype users logged on right now, so i wonder how many bad-seeds i'd need for p.5 interception of a specific, targeted communicant. - Forwarded message from David Farber [EMAIL PROTECTED] - Delivered-To: [EMAIL PROTECTED] User-Agent: Microsoft-Entourage/11.1.0.040913 Date: Sun, 30 Jan 2005 11:40:09 -0500 Subject: [IP] more on Simson Garfinkel analyses Skype - Open Society Institute -- interesting set of comments djf From: David Farber [EMAIL PROTECTED] To: Ip ip@v2.listbox.com Reply-To: [EMAIL PROTECTED] List-ID: ip@v2.listbox.com List-Software: listbox.com v2.0 List-Help: http://v2.listbox.com/doc/[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED], http://v2.listbox.com/subscribe/[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED], http://v2.listbox.com/member/unsubscribe/[EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on c3.seiden.com X-Spam-Status: No, hits=1.0 required=4.2 tests=AWL,FVGT_TRIPWIRE_DJ, FVGT_TRIPWIRE_SL,HTML_MESSAGE,MY_HTML_OBFU autolearn=no version=2.63 -- Forwarded Message From: David Pollak [EMAIL PROTECTED] Date: Sun, 30 Jan 2005 07:44:21 -0800 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: FW: [IP] more on Simson Garfinkel analyses Skype - Open Society Institute Dave, I've been following the Simson/Skype thread on IP and I've read the Columbia analysis of the Skype protocol (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cuc s-039-04.pdf) I've known Simson for 14 or so years and have a ton of respect for his technical skills. However, I think there are some significant Skype vulnerabilities and associated legal ramifications that Simson did not discuss in his article. Security is based on trust of the parties exchanging information that they are who they claim and that the data exchanged appears to be random to an untrusted observer. While Skype's use of encryption supports the second part of the definition, it does not support the first. Because it does not support the first, it is very easy to use the Skype network to intercept communications between any user or to pose as any user. This presents a problem as against both third parties and governmental agencies. A critical part of the Skype network is the super-nodes. According to the Columbia paper, super-nodes perform 3 functions: * Designating the login authority * Media packet forwarding * Routing user search requests Super-nodes appear to volunteer to perform the function. Or put another way, they are nodes that are not under the control of Skype, but they perform all the routing functions necessary to discover a user and exchange information with the user. Super nodes run on any machine running the Skype program and the machines under Skype control have no way to determine if the super nodes are running unmodified Skype code. If one were skilled in reverse engineering x86 code and one were willing to violate Skype's user agreement, one could create a Skype node that volunteered to be a super-node. It would appear to all other Skype nodes as a normal super-node. It would perform all the functions of a Skype super-node. However, it would do a little bit more. Let's call one of these super-nodes a bad seed. The bad seed could point users to another authentication server. Thus, the user would exchange username and authentication information with a bad relay proxy rather than the Skype server. That permits the bad relay proxy to deny Skype access to a user that I designate. Okay a denial of service attack is not great stuff, but for
Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)
Steven M. Bellovin [EMAIL PROTECTED] writes: Is a private root key (or the equivalent signing device) an asset that can be acquired under bankruptcy proceedings? Almost certainly. Absolutely certainly. Even before Baltimore, CA's private keys had been bought and sold from/to third parties, usually as a result of bandruptcies or takeovers. You can also occasionally find lesser CA's keys left in crypto gear sold on ebay or similar surplus-disposal channels. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)
Steven M. Bellovin wrote: Unusual CA? I'm not sure what a *usual* CA is. Just for fun, I opened up the CA list that came with my copy of Firefox. There are no fewer than 40 different entities listed, many of whom have more than one certificate. I personally know less than half of them to be trustworthy -- and that's assuming that, say, Thawte, Thawte Consulting, and Thawte Consulting cc are all the same company and I can count that as three different ones. I had no idea that that the U.S. Postal Service had a CA that was trusted by my browser -- and I dare say that many non-Americans wouldn't trust it at all, on the assumption that it would do whatever the U.S. government told it to do. cylink had the contract ... bea had subcontract. usps was going to do some sort of in-person verification before issuing the certificate ... along the lines of US passports. http://www.gcn.com/17_24/news/33918-1.html this dates back to the days when the CA industry was floating business cases that there was going to be $100/annum x.509 identity certificate for every person in the country (the $20b/annum gift to the CA industry story). there was some rumor that if the gov. wouldn't cough up the $20b/annum, then the financial industry was just chopping at the bit to turn over $20b/annum to certification authorities. there is a story from the period about an offer to a financial institution that if they would transmit a copy of the master account database of tens of millions of customers to the certification authority ... the certification authority would re-arrange the bits in each database entry into this magic format called a certificate and return the re-arranged magic bits to the financial institution at a mere $100/database entry (nominally overnight ... but possibly actually several days, maybe only earning the CA a measely $1b/day of work). this overlapped with the realization that identity certificates were composed at some point in the past w/o any knowledge of just what identity information any future relying parties might require as a result there was one strategy that it would be necessary to overload all identity certificate with every possibly piece of identity information so as to cover all possible requirements possibly needed by future unknown relying parties. at the same time, the financial industry was realizing that identity certificates represented huge privacy and liability exposures ... and so you started to see retrenching by various parties (particularly the financial industry) to relying-party-only certificates. misc. past posts about relying-party-only certificates: http://www.garlic.com/~lynn/subpubkey.html#rpo The problem lurking in the background is that fundamentally, the certificate design-point is an offline paradigm in a situation where the relying-party has absolutely no recourse for obtaining information about the origin of the digital signature (so is reduced to operating with a letter-of-credit paradigm from the sailing ship era). This fact was well highlighted in digitally signed payment scenario. A bank customer was issued a relying-party-only certificate by their financial institution (after registering their public key in the financial institution's account record). The customer would then create a payment authorization message, digitally sign the message and then transmit the message, the digital signature and the bank's relying-party-only certificate back to the bank. Since the bank already has the customer's public key on file, the first thing it does is discard the transmitted certificate and verifies the digital signature with the on-file public key. Another minor annoyance was that typical digital certificate was nominally two orders of magnitude (one hundred times) larger than the typical 8583 payment message. So not only were the relying-party-only certificates redundant and superfluous ... its only apparent purpose was to increase transmission payload bloat by a factor of 100 times. some past posts about browser trusted public key lists: http://www.garlic.com/~lynn/aepay4.htm#comcert14 Merchant Comfort Certificates http://www.garlic.com/~lynn/aepay4.htm#comcert16 Merchant Comfort Certificates http://www.garlic.com/~lynn/2003l.html#27 RSA vs AES - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
(Fwd) OpenPGP flaw prompts quick fix
http://www.pgp.com/library/ctocorner/openpgp.html 10 Feb 2005 Today, cryptographers Serge Mister and Robert Zuccherato from Entrust released a paper outlining an attack on the way OpenPGP does symmetric cryptography. They have been kind enough to give the OpenPGP community advance notice of their paper, and it is thus the subject of this CTO Corner article, which I'm writing in cooperation with David Shaw of Gnu Privacy Guard (GnuPG), Brian Smith of Hush Communications, Derek Atkins of the OpenPGP Working Group, and Phil Zimmermann. In it, we'll discuss: - What this discovery means to OpenPGP users - Details of the attack and how it works - What software and standards developers are doing about it We in the OpenPGP community feel strongly about the quality of our work and appreciate the trust the world places in us. OpenPGP is arguably the most used and most relied-upon cryptosystem for messages and files. Consequently, it is our obligation to describe any problems with the standard and proposed resolution of those problems. [...] Unsere Anschrift und Telefonnummer haben sich geaendert! Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Ettlinger Straße 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 [EMAIL PROTECTED], http://www.secorvo.de/ --- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
House backs major shift to electronic IDs
http://news.com.com/2102-1028_3-5571898.html?tag=st.util.print CNET News House backs major shift to electronic IDs By Declan McCullagh Story last modified Thu Feb 10 17:46:00 PST 2005 The U.S. House of Representatives approved on Thursday a sweeping set of rules aimed at forcing states to issue all adults federally approved electronic ID cards, including driver's licenses. Under the rules, federal employees would reject licenses or identity cards that don't comply, which could curb Americans' access to airplanes, trains, national parks, federal courthouses and other areas controlled by the federal government. The bill was approved by a 261-161 vote. The measure, called the Real ID Act, says that driver's licenses and other ID cards must include a digital photograph, anticounterfeiting features and undefined machine-readable technology, with defined minimum data elements that could include a magnetic strip or RFID tag. The Department of Homeland Security would be charged with drafting the details of the regulation. Republican politicians argued that the new rules were necessary to thwart terrorists, saying that four of the Sept. 11, 2001, hijackers possessed valid state-issued driver's licenses. When I get on an airplane and someone shows ID, I'd like to be sure they are who they say they are, said Rep. Tom Davis, a Virginia Republican, during a floor debate that started Wednesday. States would be required to demand proof of the person's Social Security number and confirm that number with the Social Security Administration. They would also have to scan in documents showing the person's date of birth and immigration status, and create a massive store so that the (scanned) images can be retained in electronic storage in a transferable format permanently. Another portion of the bill says that states would be required to link their DMV databases if they wished to receive federal funds. Among the information that must be shared: All data fields printed on drivers' licenses and identification cards, and complete drivers' histories, including motor vehicle violations, suspensions and points on licenses. The Bush administration threw its weight behind the Real ID Act, which has been derided by some conservative and civil liberties groups as tantamount to a national ID card. The White House said in a statement this week that it strongly supports House passage of the bill. Thursday's vote mostly fell along party lines. About 95 percent of the House Republicans voted for the bill, which had been prepared by the judiciary committee chairman, F. James Sensenbrenner, a Wisconsin Republican. More than three-fourths of the House Democrats opposed it. Rep. Eleanor Holmes Norton, a Democrat from Washington, D.C., charged that Republicans were becoming hypocrites by trampling on states' rights. I thought the other side of the aisle extols federalism at all times, Norton said. Yes, even in hard times, even when you're dealing with terrorism. So what's happening now? Why are those who speak up for states whenever it strikes their fancy doing this now? Civil libertarians and firearm rights groups condemned the bill before the vote. The American Civil Liberties Union likened the new rules to a de facto national ID card, saying that the measure would force states to deny driver's licenses to undocumented immigrants and make DMV employees act as agents of the federal immigration service. Because an ID is required to purchase a firearm from a dealer, Gun Owners of America said the bill amounts to a bureaucratic back door to implementation of a national ID card. The group warned that it would empower the federal government to determine who can get a driver's license--and under what conditions. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: TLS session resume concurrency?
On Fri, Feb 11, 2005 at 11:31:16AM -0500, Tim Dierks wrote: On Thu, 10 Feb 2005 15:59:04 -0500, Victor Duchovni [EMAIL PROTECTED] wrote: If the symmetric cypher is fully re-keyed when sessions are resumed while avoiding the fresh start PKI overhead, then life is simple and sessions can be re-used unmodified. Otherwise I may need to ponder on designs for a multi-valued cache. I don't fully understand how you phrased the question in the two deleted paragraphs, but this one accurately describes the SSL/TLS session cache: it holds a shared secret derived from the original key exchange. For each connection, completely new encryption authentication keys are derived from this shared secret and per-connection random nonces provided by each party. One session can be safely reused for many connections, either serially or in parallel. The session cache is also write-once: starting a new connection from a session needn't update the cached secret or other parameters. Thanks, this is very useful. This means that the Postfix session cache does not need multiple cached sessions per end-point. That makes TLS session management much easier. A single initial session can be re-used by overlapping subsequent deliveries. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: fyi: Fingerprinting CPUs
[EMAIL PROTECTED] said: This subject came up before. http://citeseer.ist.psu.edu/shankar04side.html ah, yes, in various forms. The refs in that paper lead to this, fwiw.. http://dynamo.ecn.purdue.edu/~kennell/genuinity/publications.html JeffH - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Break-In At SAIC Risks ID Theft
http://www.washingtonpost.com/ac2/wp-dyn/A17506-2005Feb11?language=printer The Washington Post washingtonpost.com Break-In At SAIC Risks ID Theft Computers Held Personal Data on Employee-Owners By Griff Witte Washington Post Staff Writer Saturday, February 12, 2005; Page E01 Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees. The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security. It has a reputation for hiring Washington's most powerful figures when they leave the government, and its payroll has been studded with former secretaries of defense, CIA directors and White House counterterrorism advisers. Those former officials -- along with the rest of a 45,000-person workforce in which a significant percentage of employees hold government security clearances -- were informed last week that their private information may have been breached and they need to take steps to protect themselves from fraud. David Kay, who was chief weapons inspector in Iraq after nearly a decade as an executive at SAIC, said he has devoted more than a dozen hours to shutting down accounts and safeguarding his finances. He said the successful theft of personal data, by thieves who smashed windows to gain access, does not speak well of a company that is devoted to keeping the government's secrets secure. I just find it unexplainable how anyone could be so casual with such vital information. It's not like we're just now learning that identity theft is a problem, said Kay, who lives in Northern Virginia. About 16,000 SAIC employees work in the Washington area. Bobby Ray Inman, former deputy director of the CIA and a former director at SAIC, agreed. It's worrisome, said Inman, who also received notification of the theft last week. If the security is sloppy, it raises questions. Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed. Haddad said the company does not know whether the thieves targeted specific computers containing employee information or if they were simply after hardware to sell for cash. In either case, the company is taking no chances. We're taking this extremely seriously, Haddad said. It's certainly not something that would reflect well on any company, let alone a company that's involved in information security. But what can I say? We're doing everything we can to get to the bottom of it. Gary Hassen of the San Diego Police Department said there are, at the moment, no leads. Haddad said surveillance cameras are in the building where the theft took place, but he did not know whether they caught the perpetrators on tape. He also did not know whether the information that was on the pilfered computers had been encrypted. The stolen information included names, Social Security numbers, addresses, telephone numbers and records of financial transactions. It was stored in a database of past and present SAIC stockholders. SAIC is one of the nation's largest employee-owned companies, with workers each receiving the option to buy SAIC stock through an internal brokerage division known as Bull Inc. Haddad said the company has been trying through letters and e-mails to get in touch with everyone who has held company stock within the past decade, though he acknowledged that hasn't been easy since many have since left the company. He said the company would take steps to ensure stockholder information is better protected in the future, but he declined to be specific. The theft comes at a time when the company, which depends on the federal government for more than 80 percent of its $7 billion annual revenue, is already under scrutiny for its handling of several contracts. Last week on Capitol Hill, FBI Director Robert S. Mueller III testified that the company had botched an attempt to build software for the bureau's new Virtual Case File system. The $170 million upgrade was supposed to allow agents to sift through different cases electronically, but the FBI has said the new system is so outdated that it will probably be scrapped. In San Antonio, SAIC is fighting the government over charges that the company padded its cost estimates on a $24 million Air Force contract. The case prompted the Air Force to issue an unusual alert to its contracting officials late last year, warning them that the Department of Justice believes that SAIC is continuing to submit defective cost or pricing data in support of its pricing proposals. SAIC has defended its work for the
Fighting Net crime with code / Surge in phishing e-mails to take spotlight at cryptography conference
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2005/02/14/BUG3NB9UTL1.DTLtype=printable www.sfgate.com Return to regular view Fighting Net crime with code Surge in phishing e-mails to take spotlight at cryptography conference - Carrie Kirby, Chronicle Staff Writer Monday, February 14, 2005 Every year, a bunch of cryptographers throw a big party, business mixer and study session in the Bay Area. In their effort to make the world love the science of code making and breaking as much as they do, they invoke dramatic historical uses of cryptography: the etchings of the ancient Maya, the Navajo code talkers of World War II. This time, the RSA Conference, opening today at Moscone Center in San Francisco, has crime as its theme. The 11,000 attendees will hear the tale of how federal agent Elizebeth Smith Friedman brought down a major ring of rum runners by cracking their sophisticated codes. The timing couldn't be more apt. More people than ever are not just shopping but conducting their finances online, with 45 percent of Americans paying bills over the Internet in 2004, according to research group Gartner. That's a 70 percent increase from 2003, a shift that is making the Internet more attractive than ever to criminals. Crime on the Internet is probably the fastest-growing business there, said Ken Silva, vice president of networking and information security at VeriSign, the Mountain View company that secures Web sites and Internet transactions. Phishing e-mails -- those little fraudulent notes asking you to confirm your bank account number, credit card number, ATM password or locker combination -- have been growing by 38 percent a month on average, according to the industry's Anti-Phishing Working Group. Gartner warns that phishing will erode the growth of e-commerce if nothing is done. The folks gathering at the Moscone Center this week are the ones who do battle with all that, using -- you guessed it -- cryptography. They're software developers, marketers, academics, business leaders -- including conference speakers Bill Gates of Microsoft, John Chambers of Cisco, Symantec's John Thompson and VeriSign's Stratton Sclavos -- and a few current and former government officials, such as Amit Yoran, who resigned in October after one year as the nation's top cyber security official. Because phishing has shown the downside of using just a user name and password to access an online bank account, a panel featuring Yoran and other experts will look at safer ways for consumers to identify themselves on the Internet. Another panel will address businesses' fear that adding more security could make e-commerce and e-banking sites too cumbersome for consumers to use. Another topic will be whether software companies should be held liable when bugs in their products allow theft to happen and whether the government should regulate software safety as the Federal Aviation Administration regulates airline safety. Because most hackers and viruses get into computers through holes in Microsoft's nearly ubiquitous Windows software, Microsoft is always central in such discussions. But that is not a favorite topic for Microsoft leaders, and the preview blurb for Gates' speech, scheduled for Tuesday morning, makes no mention of that controversy. Instead, Gates is to discuss his perspective on the state of security today, the importance of continued innovation, and advances in Microsoft's platform, products and technologies designed to better protect customers. The conference is run by Bedford, Mass., cryptography company RSA Security, which also has an office in San Mateo. E-mail Carrie Kirby at [EMAIL PROTECTED] Page E - 2 URL: http://sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2005/02/14/BUG3NB9UTL1.DTL ©2005 San Francisco Chronicle | Feedback | FAQ -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
critical bits in certs
Has anyone got any experience or tips on critical bits in certificates? These are bits that can be set in optional records that a certificate creator puts in there to do a particular job. The critical bit says don't interpret this entire certificate if you don't understand this record. x.509 certs have them, they are mentioned in RFCs http://www.faqs.org/rfcs/rfc3039.html http://www.faqs.org/rfcs/rfc2459.html Also, OpenPGP may have them (I recall arguing against them a while back, never checked where it all ended). The reason I ask is that a CA has started issuing certs with an optional critical section. It has a good reason to do this ... but the results aren't pretty, and the CA is now asking browser manufacturers to accept its certs and/or comply with the crit. Many issues are swirling around, so it seems useful to ask around. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
NSA May Be 'Traffic Cop' for U.S. Networks
http://www.kansascity.com/mld/kansascity/news/politics/10898954.htm?template=contentModules/printstory.jsp Posted on Mon, Feb. 14, 2005 NSA May Be 'Traffic Cop' for U.S. Networks TED BRIDIS Associated Press WASHINGTON - The Bush administration is considering making the National Security Agency - famous for eavesdropping and code breaking - its traffic cop for ambitious plans to share homeland security information across government computer networks, a senior NSA official says. Such a decision would expand NSA's responsibility to help defend the complex network of data pipelines carrying warnings and other sensitive information. It would also require significantly more money for the ultra-secret spy agency. The NSA's director for information assurance, Daniel G. Wolf, was expected to outline his agency's potential role during a speech Wednesday at the RSA technology conference in San Francisco. In an interview preceding his speech, Wolf told The Associated Press that computer networks at U.S. organizations are like medieval castles, each protected by different-size walls and moats. As the U.S. government moves increasingly to share sensitive security information across agencies, weaknesses inside one department can become opportunities for outsiders to penetrate the entire system, Wolf warned. Attackers could steal sensitive information or deliberately spread false information. If someone isn't working on being a traffic cop, giving guidance on how secure they need to be, a risk that is taken by one castle is really shared by other castles, Wolf said. Who's defining the standards? Who says how high the walls should be? The NSA already helps protect systems deemed vital to the nation's security, such as those involved in intelligence, cryptography and weapons. Wolf said the administration is considering whether to designate its fledgling information-sharing efforts also under the NSA's purview. The White House Office of Management and Budget currently directs efforts by civilian agencies to secure their computer networks. The NSA's information security programs are highly regarded among experts. Bring it on. This clearly ought to be done, said Paul Kurtz, a former White House cybersecurity adviser and head of the Washington-based Cyber Security Industry Alliance, a trade group. This will raise the bar across the federal government to a far more secure infrastructure. Congress has directed the NSA and the Department of Homeland Security to study the architecture and policies of computers for sharing sensitive homeland security information. In the latest blueprint for U.S. intelligence spending, lawmakers warned that attackers always search for weak links and that connecting distant systems will further increase the vulnerability of networks that originally were developed to be susbstantially isolated from one another. It's unclear how the NSA's efforts would affect private companies, which own and operate many of the electrical, water, banking and other systems vital to government. Wolf said the agency already works to secure such systems important to military installations, but he denied that NSA would have any new regulatory authority over private computers. When we talk about being the traffic cop, we're not in charge of these networks, Wolf said. We're not running these networks. It also was unclear how much the effort might cost. If you're going to have a network that everyone in government can get into, that means some agencies are going to have to come up to meet new, higher standards, and that's expensive, said James Lewis, director of technology policy at the Center for Strategic and International Studies, a conservative think-tank. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Making your IM secure--and deniable
http://news.com.com/2102-7355_3-5576246.html?tag=st.util.print CNET News Making your IM secure--and deniable By Robert Lemos Story last modified Mon Feb 14 17:05:00 PST 2005 SAN FRANCISCO--When you hit the Send button on an instant message, do you really know who is on the other end? Two researchers at the University of California at Berkeley have created an add-on to instant messaging that they claim will enable the participants to identify each other and have a secure conversation without leaving any proof that the chat occurred. The result, dubbed off-the-record (OTR) messaging by security researchers Ian Goldberg and Nikita Borisov, is a plug-in for the Gaim instant-messaging client that enables encrypted messages sans leaving a key--a sequence of characters--that could be used to verify that the conversation happened. That attribute, known in cryptography as perfect forward security, also prevents snoopers from reading any copies of the conversation. If tomorrow, my computer is broken into and the encryption key is stolen, the attacker can't read future messages, said Goldberg, a graduate of Berkeley. In order for a secure and deniable IM conversation to occur, both parties need to have the off-the-record program installed on Gaim or use America Online's Instant Messenger with a server set up to be a proxy with software also developed by Goldberg and Borisov, the researchers said. When a previously unregistered user wants to have an OTC conversation, a dialog box will appear with a digital key, identifying the sender. If the user accepts the credentials of the person contacting him, the key will be stored on his computer so that in the future, the sender is considered to be trusted. After that, the two participants can chat securely; the conversation is encoded so that others cannot intercept and read it. Goldberg and Borisov presented their program at the annual CodeCon gathering of developers Saturday. People worried about instant-messaging security can download the software from the duo's site. Goldberg said current messaging is insecure and criticized other solutions for leaving around logs and encryption keys that could be used as proof that a conversation happened. He said OTR messaging would give the participants the security without leaving any more trace of the conversation than today's instant-messaging clients--a worry for the privacy-centric security community. I would like to see this on by default, Goldberg said. When you chat today, the messages are going through the clear, and there is no proof of who you are talking to. While both the OTR messaging plug-ins and today's instant-messaging clients enable either participant to record logs of a conversation, those logs mean little after the conversation, Goldberg argued. The logs could be edited to add content. That's why the two researchers avoided using digital signatures, Goldberg said. That technology for encrypting messages would have also acted as a digital signature and left a signed record of the conversation. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
'Trustworthy' Computing Now Gates' Focus
http://news.yahoo.com/news?tmpl=storycid=562u=/ap/20050215/ap_on_hi_te/security_conference_6printer=1 Yahoo! 'Trustworthy' Computing Now Gates' Focus 1 hour, 21 minutes ago By MATTHEW FORDAHL, AP Technology Writer SAN JOSE, Calif. - Microsoft Corp. co-founder Bill Gates (news - web sites) is expected to give his perspective Tuesday on computer security and provide an update on the software giant's efforts to make computing more trustworthy. He will speak to an estimated 11,000 security experts gathered for the weeklong RSA Conference, sponsored by RSA Security Inc., based in Bedford, Mass. In the three years since Microsoft launched its initiative to improve the security of its products, the company has changed how its software is written, improved the mechanism for fixing bugs and released some tools for removing virtual pests. So far, results have been mixed. While there have been no major attacks in recent months, the number of worms and viruses continues to grow and other headaches - such as spam, spyware and adware - are multiplying and quickly becoming security threats themselves. Most still target Microsoft Windows, the world's dominant operating system. Since Gates (now the company's chairman and chief software architect) spoke at the RSA Conference in 2004, Microsoft has issued a major security upgrade to Windows XP (news - web sites) aimed at blocking malicious code and protecting users from downloading programs that might carry a virus, worm or other unwanted program. The company also has recently started releasing programs that remove a limited number of worms and other pests. It's also giving away an early version of Microsoft AntiSpyware, a program that removes unwanted programs and helps protect new ones from being installed. But so far it's remained mum on when it will jump into the antivirus software business and directly compete against companies that sell programs designed to shore up Windows. Microsoft declined to comment in advance of the speech. It may be something of a natural evolution for them, although ironic given that it's a majority of their software is what they're having to protect, said Vincent Gullotto, vice president of McAfee's Antivirus and Vulnerability Emergency Response Team. While they're building software to protect their software, they're also building their software to be secure, he added. It should prove to be some interesting times. Meanwhile, Microsoft continues to be a target. Last week, a Trojan horse program was detected that attempts to shut down its antispyware program as well as steal online banking passwords. This particular attempt appears to be the first by any piece of malware to disable Microsoft AntiSpyware, but it may be the first of many such future attacks, said Gregg Mastoras, senior security analyst at Sophos PLC, a security firm. Meanwhile, other security software vendors aren't standing still. Symantec, for instance, has unveiled a new version of its corporate computer security software that promises not only to remove traditional viruses and worms but also adware and spyware. The updated programs are expected to be available next month. Customers are looking for spyware and adware protection from their antivirus vendor, a partner they trust, said Brian Foster, Symantec's senior director of product management for client and host security. McAfee Inc., another antivirus company, also is putting a greater focus on spyware and adware with its McAfee Anti-Spyware Enterprise for corporations. It will be available March 2. McAfee also is announcing that it will send out updates of its virus definitions on a daily, rather than weekly basis. The new program starts Feb. 24 for its corporate clients. The more frequent updates will be available for its retail software in about three months, Gullotto said. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
SHA-1 broken, says Schneier
From Bruce Schneier's weblog: http://www.schneier.com/blog/archives/2005/02/sha1_broken.html # SHA-1 has been broken. Not a reduced-round version. Not a simplified # version. The real thing. # # The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly # from Shandong University in China) have been quietly circulating a paper # announcing their results: # # * collisions in the the full SHA-1 in 2**69 hash operations, much # * less than the brute-force attack of 2**80 operations based on the # * hash length. # # * collisions in SHA-0 in 2**39 operations. # # * collisions in 58-round SHA-1 in 2**33 operations. # # This attack builds on previous attacks on SHA-0 and SHA-1, and is a # major, major cryptanalytic result. This pretty much puts a bullet into # SHA-1 as a hash function for digital signatures (although it doesn't # affect applications such as HMAC). # # The paper isn't generally available yet. At this point I can't tell if # the attack is real, but the paper looks good and this is a reputable # research team. This appears to be the same research team that published the MD5 collision technique back in August. -andy - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Schneier on Security: SHA-1 Broken
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html Bruce Schneier Schneier on Security A weblog covering security and security technology. « RSA Conference | Main February 15, 2005 SHA-1 Broken SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper announcing their results: * collisions in the the full SHA-1 in 2**69 hash operations, much less than the brute-force attack of 2**80 operations based on the hash length. *collisions in SHA-0 in 2**39 operations. * collisions in 58-round SHA-1 in 2**33 operations. This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, major cryptanalytic result. It pretty much puts a bullet into SHA-1 as a hash function for digital signatures (although it doesn't affect applications such as HMAC where collisions aren't important). The paper isn't generally available yet. At this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team. More details when I have them. Posted on February 15, 2005 at 07:15 PM Trackback Pings TrackBack URL for this entry: http://www.schneier.com/cgi-bin/mt/mt-tb.cgi/130 Listed below are links to weblogs that reference SHA-1 Broken: » SHA-1 Broken from *scottstuff* Bruce Schneier: SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a pa... [Read More] Tracked on February 15, 2005 07:45 PM » SHA-1 broken from James Seng's Blog From Bruce Schneier: SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. The research team of Xiaoyun Wan [Read More] Tracked on February 15, 2005 09:00 PM » Running out of hash functions from Descriptive Epistemology Bruce says, SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a... [Read More] Tracked on February 15, 2005 09:51 PM » SHA-1 broken. from The Chicken Coop [Read More] Tracked on February 15, 2005 09:52 PM » sha-1 has been broken from Party of Five From Bruce Schneier's weblog: The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University... [Read More] Tracked on February 15, 2005 09:55 PM Comments Time for NIST to have another competition? Posted by: David Magda at February 15, 2005 07:36 PM So what hash functions are available that don't have a substantially similar construction? AFAIK, RIPEMD160 and the SHA256-384-512 series are of the same sort, and the attack could in principle work for them as well. There's Tiger, which appears quite different, and Whirlpool. Any other suggestions? This is, it would appear, a collision attack, not a preimage attack, so I guess we have some time to phase out the old hash functions. Posted by: Rafael Sevilla at February 15, 2005 08:25 PM Feb. 7, 2005 Hashing out encryption: http://www.fcw.com/fcw/articles/2005/0207/web-hash-02-07-05.asp Federal agencies have been put on notice that National Institute of Standards and Technology officials plan to phase out a widely used cryptographic hash function known as SHA-1 in favor of larger and stronger hash functions such as SHA-256 and SHA-512. Posted by: David Mohring at February 15, 2005 08:56 PM 2**69 operations is still an awful lot of operations. What is it that lets us say that 2**69 is broken but 2**80 is not broken? Posted by: Jordan at February 15, 2005 09:03 PM (although it doesn't affect applications such as HMAC) Bruce, Pardon my ignorance but can you elaborate why this doesn't affect HMAC? Posted by: Yakov Shafranovich at February 15, 2005 09:16 PM That's 2**11 less operations. Let's say breaking this (2**69 ops) takes the NSA a week. If it had been 2**80, it would have taken 2048 weeks, or 39 years. If it would have taken the NSA (or whomever) a year to break SHA-1 before, it could be broken in 4 hours. My guess would be it would still take a lot longer than a week - but would now be in the realm of possibility, whereas before it would have been in the lifetime(s) range. However, this is totally a wild-assed-guess, based on the assumption that it was expected to take 100+ years before this to crack. Posted by: Randell Jesup at February 15, 2005 09:19 PM ...whereas before it would have been in the lifetime(s) range. Either way, it's well within the statute of limitations for whatever crime you've committed. ;-) Posted by: Anthony Martin at February 15, 2005 09:25 PM He said 69 CLL!!
SHA-1 cracked
According to Bruce Schneier's blog (http://www.schneier.com/blog/archives/2005/02/sha1_broken.html), a team has found collisions in full SHA-1. It's probably not a practical threat today, since it takes 2^69 operations to do it and we haven't heard claims that NSA et al. have built massively parallel hash function collision finders, but it's an impressive achievement nevertheless -- especially since it comes just a week after NIST stated that there were no successful attacks on SHA-1. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How to Stop Junk E-Mail: Charge for the Stamp
Barry Shein [EMAIL PROTECTED] writes: Eventually email will just collapse (as it's doing) and the RBOCs et al will inherit it and we'll all be paying 15c per message like their SMS services. And the spammers will be using everyone else's PC's to send out their spam, so the spam problem will still be as bad as ever but now Joe Sixpack will be paying to send it. Hmmm, and maybe *that* will finally motivate software companies, end users, ISPs, etc etc, to fix up software, systems, and usage habits to prevent this. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]