combining entropy
If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular difficulty with lossy combination. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Fwd: [announce] THC releases video and tool to backup/modify ePassports]
We knew it was coming, right? Original Message Subject: [announce] THC releases video and tool to backup/modify ePassports Date: Mon, 29 Sep 2008 10:00:26 + From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] http://freeworld.thc.org/thc-epassport/ 29th September 2008 THC/vonJeek proudly presents an ePassport emulator. This emulator applet allows you to create a backup of your own passport chip(s). A video demonstrating the weakness is available at http://freeworld.thc.org/thc-epassport/ The government plans to use ePassports at Immigration and Border Control. The information is electronically read from the Passport and displayed to a Border Control Officer or used by an automated setup. THC has discovered weaknesses in the system to (by)pass the security checks. The detection of fake passport chips is no longer working. Test setups do not raise alerts when a modified chip is used. This enables an attacker to create a Passport with an altered Picture, Name, DoB, Nationality and other credentials. This manipulated information is displayed without any alarms going off. The exploitation of this loophole is trivial and can be verified using thc-epassport. Regardless how good the intention of the government might have been, the facts are that tested implementations of the ePassports Inspection System are not secure. ePassports give us a false sense of security: We are made to believe that they make use more secure. I'm afraid that's not true: current ePassport implementations don't add security at all. Yours sincerely, vonjeek [at] thc dot org The Hackers Choice http://www.thc.org - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
TLS Server Name Indication and IDNA?
I am considering adding TLS Server Name Indication support in the Postfix SMTP server and client. I am puzzled by the exceedingly terse description of the semantics of the HostName sent in the SNI extension: http://tools.ietf.org/html/rfc4366#section-3.1 If the hostname labels contain only US-ASCII characters, then the client MUST ensure that labels are separated only by the byte 0x2E, representing the dot character U+002E (requirement 1 in Section 3.1 of [IDNA] notwithstanding). If the server needs to match the HostName against names that contain non-US-ASCII characters, it MUST perform the conversion operation described in Section 4 of [IDNA], treating the HostName as a query string (i.e., the AllowUnassigned flag MUST be set). Note that IDNA allows labels to be separated by any of the Unicode characters U+002E, U+3002, U+FF0E, and U+FF61; therefore, servers MUST accept any of these characters as a label separator. If the server only needs to match the HostName against names containing exclusively ASCII characters, it MUST compare ASCII names case-insensitively. At least the Postfix SMTP client does not normally work with IDNA domains directly. In queued email messages the recipient domain is already ACE encoded, e.g. [EMAIL PROTECTED]. Suppose Postfix is configured to establish a TLS secure-channel with a mail server for this domain, and now wants to signal the required certificate name to the receiving SMTP server. What should the SMTP client put in the RFC 4366 section 3.1 HostName: - The ACE domain it is working with (xn--exmple-cua.com)? - The underlying UTF8 domain name? (exämple.com)? What should the server do when it receives the client's HostName? - Convert ACE to UTF8? - Convert UTF8 to ACE? When searching for certificates with matching domain names, the receiving server may need to look at: http://tools.ietf.org/html/rfc5280#section-7.1: subject CommonName rDNs, which may contain UTF8 strings http://tools.ietf.org/html/rfc5280#section-7.2: subject Alternative Name v3 extensions which contain IA5 (ASCII) domain names. What type of comparison is the server expected to perform? - Convert UTF8 CommanName to ACE (also leave IA5 alone) and then compare? - Convert ACE names in either subjectAltName or CN to UTF8 and then compare UTF8 strings (with NAMEPREP, STRINGPREP and all that jazz)? This can be (to say the least) rather unpleasant. If IDNA is only between the user and the UI, with everything on the wire in ACE form, then all the pain is avoided: - 4366 client sends ACE - 4366 server uses received string uninterpreted - Certificates contain ACE names in subjectAltName AND also in the CommonName where the name in question is a domain name. - Server just does case insensitive search on ASCII strings. If instead, client and server have to jump through hoops doing (tersely specified, and unlikely IMHO to inter-operate) IDNA conversions, then I may just bag the whole idea and do something more useful. Anyone have any insight on what implementations are supposed to do? -- Viktor. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: TLS Server Name Indication and IDNA?
RFC 4366 is somewhat of a mess. I do not remember the authors asking the authors of IDNA (of which I am one) about what they should do. FWIW, I'm not sure why this would be on the cryptography list, but I'm not sure of that for most of the we can design a better UI threads either. What should the SMTP client put in the RFC 4366 section 3.1 HostName: - The ACE domain it is working with (xn--exmple-cua.com)? - The underlying UTF8 domain name? (exämple.com)? Hopefully, the former. But if that doesn't work, try the latter. What should the server do when it receives the client's HostName? - Convert ACE to UTF8? - Convert UTF8 to ACE? Hopefully, neither: leave it as an ACE. What type of comparison is the server expected to perform? - Convert UTF8 CommanName to ACE (also leave IA5 alone) and then compare? - Convert ACE names in either subjectAltName or CN to UTF8 and then compare UTF8 strings (with NAMEPREP, STRINGPREP and all that jazz)? Hopefully, neither: leave it as an ACE. This can be (to say the least) rather unpleasant. If IDNA is only between the user and the UI, with everything on the wire in ACE form, Yes. then all the pain is avoided: Yes+. That's why we designed IDNA that way. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EV certs: Doing more of what we already know doesn't work
Cool! ;-) Verisign's CPS has been an inspiration for me for quite a few years now. E.g., this statement has been in there for a number of years: The Certificate, however, provides no proof of the identity of the Subscriber. Taken from page 12 of the current version, obviously (?) referring to so-called Class 3 certificates. Cheers, Stefan. - Stefan Kelm Security Consulting Secorvo Security Consulting GmbH Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 [EMAIL PROTECTED], http://www.secorvo.de/ PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
unbreakable quantum crypto cracked by a laser
http://technology.newscientist.com/channel/tech/dn14866-laser-cracks-unbreakable-quantum-communications.html?feedId=online-news_rss20 Not surprisingly, it's attacking the implementation, not the physics -- but of course we use implementations to communicate, rather than theories. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
What does knot theory have to do with P^#P != NP ?
http://ephermata.livejournal.com/190880.html?mode=reply David Molnar (ephermata) wrote, @ 2008-10-04 01:59:00 Current music: Crystal Castles - Air War What does knot theory have to do with P^#P != NP ? I didn't know, but Michael H. Freedman has an answer - by assuming that the complexity class P^#P is not equal to NP, you can prove a new theorem in knot theory! Complexity Classes as Mathematical Axioms M. Freedman (Submitted on 30 Sep 2008) Abstract: Treating a conjecture, P^#P != NP, on the separation of complexity classes as an axiom, an implication is found in three manifold topology with little obvious connection to complexity theory. This is reminiscent of Harvey Friedman's work on finitistic interpretations of large cardinal axioms. http://arxiv.org/abs/0810.0033 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Quantum Crypto broken again
A failure in implementation leads to the ability to eavesdrop on a quantum-secrecy based key exchange on 2/3 of the types of quantum equipment used. From: http://technology.newscientist.com/article/dn14866-laser-cracks-unbreakable-quantum-communications.html Makarov and colleagues from Sweden and Russia have shown that Eve could control Bob's equipment, so that they both decode exactly the same digits from Alice's transmission...The method exploits the way a common type of photon counter can have its sensitivity reduced by a very bright flash of light. The attack begins when Eve fires a pulse of laser light to all four detectors in Bob's equipment...[Eve leverages this into getting the key] by sending on a sequence of encoded photons that are identical to the ones she receives from Alice, Eve can safely intercept a message without leaving the tell-tale quantum errors...Makarov and colleagues have now uncovered such vulnerabilities in two of the three types of quantum equipment commonly used. They are now investigating ways to solve the flaw without introducing more weaknesses. A paper, Can Eve control PerkinElmer actively-quenched single-photon detector? is available at http://arxiv.org/ftp/arxiv/papers/0809/0809.3408.pdf. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Cube cryptanalysis?
Paul Hoffman wrote: At 11:08 AM -0700 8/21/08, Greg Rose wrote: Adi mentioned that the slides and paper will go online around the deadline for Eurocrypt submission; it will all become much clearer than my wounded explanations then. There now: http://eprint.iacr.org/2008/385 Given all the excitement over the Cube attack, readers may be interested to have a closer look at an earlier paper by Vielhaber: Breaking ONE.FIVIUM by AIDA (an Algebraic IV Differential Attack) Michael Vielhaber http://eprint.iacr.org/2007/413 Vielhaber claims that AIDA anticipates the Cube attack; see his post on the iacr eprint forum: http://eprint.iacr.org/forum/read.php?8,59 -James - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: once more, with feeling.
Peter Gutmann wrote: If this had been done in the beginning, before users -- and web site designers, and browser vendors -- were mistrained, it might have worked. Now, though? I'm skeptical. For existing apps with habituated users, so am I. So how about the following strawman: Take an existing browser (say Firefox), brand it as some special- case secure online banking browser, and use the new developments solution above, i.e. it only talks mutual-auth challenge-response crypto and nothing else. At that point you've reduced Reformat user and reinstall browsing habits to Train users to only use safe-browser when they do their banking, i.e. 'Never enter banking details using anything other than safe-browser'. Even if you only get a subset of users doing this, it's still a massive attack surface reduction because you've raised the bar from any idiot who buys a phishing kit to having to perform a man-in-the-browser attack. We've been debating this a lot at Google lately. One argument that I have increasing sympathy with is that SSO (or if you want to be modern, federated login) provides an opportunity to change the playing field sufficiently that we can reprogram users to be less vulnerable to phishing - or just switch them to protocols that make phishing irrelevant. To that end, we've released some usability research... http://google-code-updates.blogspot.com/2008/09/usability-research-on-federated-login.html Obviously the end game here is that the user only has to protect his login to a small number of sites - i.e. those that provide the IdP. Once we get there, perhaps users can be persuaded to authenticate to those sites using something stronger than username/password. A sidenote that provides me with some amusement: although the modern trend is towards using OpenID, no-one wants to use it in the mode it is designed for, i.e. where the user can pick any old IdP and the RP will just trust it. In practice where we seem to be headed is that RPs will trust some smallish number of trusted IdPs. This is, of course, exactly what the Liberty guys have been working on all along. I predict that over time, most of the elements of Liberty will be incorporated into OpenID. Which makes me think that if Liberty had done what it claimed to be doing when it started, i.e. be a community-based, open-source-friendly protocol suite, it would have worked much better. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Using GPUs to crack crypto
Elcomsoft has a product that uses GPUs to do password-cracking on a variety of media. They claim a speed-up of up to 67x, depending on the application being attacked. http://www.elcomsoft.com/edpr.html?r1=prr2=wpa (This has led to a variety of stories (see, for example, http://www.scmagazineuk.com/WiFi-is-no-longer-a-viable-secure-connection/article/119294/) claiming that WPA is dead. The correct answer, though, is that passwords are dead, especially bad ones.) --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Snatching defeat from the jaws of victory
The DailyWTF has an entertainnig writeup on how not to use strong crypto to protect an embedded device, in this case a Wii, at http://thedailywtf.com/Articles/Anatomii-of-a-Hack.aspx. The signature-verification function was particularly entertaining: decrypt_rsa(signature, public_key, decrypted_signature); if(strncmp(content_sha1, decrypted_signature + 236, 20) == 0) [...] (And before you burst out laughing, Apple did something only slightly less bad in the iPhone). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Chip-and-pin card reader supply-chain subversion 'has netted millions from British shoppers'
[British shoppers were promised high security by switching from credit cards to cards that have a chip in them and require that a PIN be entered for each transaction. That was the reason for changing everything over, at high cost in both money and inconvenience to shops and shoppers. Perhaps chip-and-pin HAS reduced overall fraud -- but check out this elaborate scheme that beat their security for tens of millions of UK pounds. Now, why is this being announced by the US National Counter- intelligence Executive, Joel Brenner? Because none of the banks or stores is willing to admit it? Still, why publicize it at all? I find his quote very telling: Previously only a nation state's intelligence service would have been capable of pulling off this type of operation. How would he know this? Which nation-states have done similar types of operation, and why isn't he telling the public about THEM instead of about these other criminals? I've long suspected that NSA's (still secret) budget (approved by a tiny number of manipulated Congressmen) has been, uh, augmented, by its ability to manipulate financial markets using inside information obtained from domestic and global mass wiretaps. You don't suppose NSA is behind the recent market volatility, do you? It's easiest to skim off billions when trillions are hurriedly sloshing around in a panic. --gnu] Forwarded-By: Kurt Albershardt [EMAIL PROTECTED] Clever (and a tad frightening) http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html http://www.telegraph.co.uk/news/worldnews/asia/pakistan/3173161/Credit-card-scam-How-it-works.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
German data rentention law
Begin forwarded message: From: Eugen Leitl [EMAIL PROTECTED] Date: October 18, 2008 7:08:22 AM GMT-04:00 To: [EMAIL PROTECTED] Subject: German data rentention law - Forwarded message from Karsten N. [EMAIL PROTECTED] - From: Karsten N. [EMAIL PROTECTED] Date: Sat, 18 Oct 2008 10:49:08 +0200 To: [EMAIL PROTECTED] Subject: German data rentention law User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) Reply-To: [EMAIL PROTECTED] Hi, I. part: A short overview about the data rentention law in Germany. 1: ISPs have to log the start and end of a user dial-in with time stamp and IP address. They have not to log any content. 2: Public provider of electronic mail have to log all connections of users with time stamp, IP address, login account and the email addresses of sender and recipient for every mail (send and receive). 3: VoIP provider have to log all connections with timestamp, IP address and phone number of caller and recipient. 4: Fon and mobile fon provider have to log all connections and tries with timestamp, phone number and location. 5: Anon services have to log the rewrite of any information, which will be logged by a third party. (Thats all, not very clear.) At the moment, it seems not clear, how tor is affected by this law. I read some papers from the gouverment: An anon service (like tor or JAP) has to log, because the law will be useless otherwise. Some papers of non-gouverment organizations like ULD: Tor and JAP are not affected by the telecommunication law, because it is not a telecommunication service (in the case of law) and tor nodes have NOT to log. Together with the JonDos GmbH (JAP) the GPF try to get a legal non-logging solution for tor, but the result is open and we are late. (May be too late?) II. part: suggestion of a technical solution May be, tor can use geoip and divide the world in a logging area and a non-logging area. If the target host is inside the logging area (Germany), the exit node has to be outside. Otherwise a german node can be an exit too. In this case, we have two possibilities: 1: the target host is outside the logging area - no logging 2: the target host is inside the logging area - the exit is outside and writes no logs - an german entry or middle man has to log nothing, because it routes to a not logging exit. Because not all clients will update to a new version very quickly, we need a feature for german exit nodes to reject all routes from old clients, when the node is the exit of the route. Or, if it was more simple for the developer, a feature for exit nodes to define a country (based on geoip) to reject all exit routes. If all german relays used this feature, it may work. Otherwise, all german nodes have to switch to middle man. It is only one suggestion, not the really best solution. Karsten N. - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Pulling Keystrokes Out of the Air
Computer keyboards are often used to transmit sensitive information such as username/password (e.g. to log into computers, to do e-banking money transfer, etc.). A vulnerability on these devices will definitely kill the security of any computer or ATM. http://lasecwww.epfl.ch/keyboard/ Arshad Noor StrongAuth, Inc. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: combining entropy
On 09/29/2008 05:13 AM, IanG wrote: My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular difficulty with lossy combination. If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? Yes. The second assumption suffices to prove the result, since (random bit) XOR (anything) is random. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
ADMIN: backlog cleared
Moderator's note: Yes, I'm alive. I've just been insanely busy. I'm planning on adding a system so I can turn the list over to guest moderators before this happens again (in about a month, I'm anticipating.) Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: combining entropy
[Moderator's note: top posting is not tasteful. --Perry] I think it depends on what you mean by N pools of entropy. Are you assuming that one of these is sources is (pseudo)random, but you don't know which one? Are you assuming independence of these difference sources? If both these assumptions hold, then XOR will do the trick. If your only assumption is that one of the sources has high min-entropy (but may not necessarily be uniform), or if the independence assumption does not hold, then you may need to use some form of randomness extraction. On Mon, 29 Sep 2008, IanG wrote: If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular difficulty with lossy combination. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: combining entropy
On Mon, Sep 29, 2008 at 1:13 PM, IanG [EMAIL PROTECTED] wrote: If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? Surely not. Consider N pools each of size 1 bit. Clearly you can do better than the 1 bit your suggestion would yield. More concretely, concatenation would seem better than XOR. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: combining entropy
On Oct 24, 2008, at 14:29, John Denker wrote: On 09/29/2008 05:13 AM, IanG wrote: My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular difficulty with lossy combination. If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? Yes. The second assumption suffices to prove the result, since (random bit) XOR (anything) is random. Ah, but for this to hold, you will also have to assume that the N pools are all independent. If they are not, you cannot even guarantee one single bit of entropy (whatever that is). For example, if N = 2, your trusted source is pool 1, and I can read pool 1 and control pool 2, I set pool 2 = pool 1, and all you get is zeros. And that surely does not contain X bits of entropy for any reasonable definition of entropy. Fun, Stephan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: combining entropy
L.S., If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular difficulty with lossy combination. I take the last item to mean that you do not mind wasting entropy but want to be sure the resulting random number is unpredictable. If you add one additional assumption: * The sources are independent of each other then the XOR of the random sources will be at least as unpredictable as the most unpredictable individual random source (to keep away from the entropy discussion). As far as I can se, this the if at least one source is unpredictable for a workload of x, the resulting random is also at least that unpredictable property that you seem to be looking for. If the sources are not independent, in the most extreme case: the sources are the same, the result is not so good. XORing in the same RNG stream twice, however good the RNG, is not so useful ;-) Without the threatmodel, I am not sure if this is a problem for you, but if the attacker has control or knowledge of some of the sources, he also knows the XOR of the remaining ones. In the case he knows all but one sources, and the remaining source is not so unpredictable (LFSR, poorly biased noise source), the result can be quite predictable (and in weak RNG designs, the remaining source might be compromised). Note that this could also be used to force the combined RNG to more likely generate a chosen output. Using hashfunctions to combine the randoms makes it computationally harder for such chosen results to be generated, it quickly becomes effectively a search problem for hash-collisions where you have only limited choice on the input. Also temporary lulls in the quality of the random sources are much better handled. Peter Gutmann's dissertation has a very good description of what he did for hardening his cryptolib's the random generation from many such attacks/mistakes. With kind regards, Wouter Slegers - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: combining entropy
IanG wrote: If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular difficulty with lossy combination. Do you really trust that no single source of entropy can have knowledge of the other source's output, so it can surreptitiously correlate its own? I.e, you are are also assuming that these sources are *independent*. -- - Thierry Moreau - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Who cares about side-channel attacks?
On Mon, Oct 06, 2008 at 05:51:50PM +1300, Peter Gutmann wrote: For the past several years I've been making a point of asking users of crypto on embedded systems (which would be particularly good targets for side-channel attacks, particularly ones that provide content-protection capabilities) whether they'd consider enabling side-channel attack (SCA - no, not that SCA) protection in their use of crypto. So far I've never found anyone who's made [...] In other words the user has to make a conscious decision that SCA protection is important enough that performance/power consumption can be sacrificed for it. Can anyone provide any data on users making this tradeoff? And since negative results are also results, a response of I've never found anyone who cares either is also useful. Since the information may be commercially I have little experience on the embedded crypto side but I do maintain a crypto library that has some non-zero number of users on general desktop and server machines. Basic protections ala your point 2 are provided and enabled by default (blinding, and checking private key operations for consistency with the public, to prevent the really easy attacks). There used to be a toggle to disable blinding, which as far as I know was never used - or at least nobody complained when I removed the toggle. To my memory nobody has ever asked about what SCA measures are or are not enabled, or how to toggle them, though I do have a FAQ entry about it, so perhaps people who really wanted serious side-channel resistence just read that FAQ and moved on to another implementation without ever bothering to contact me - certainly there are some self-selection problems with my sampling. When FlexSecure wrote Botan's ECC implementation for BSI, they implemented a number of anti-timing attack countermeasures - but they were being paid to care about that, so this is probably not a valid datapoint. -Jack - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
26 historic Enigmas found in Spain
http://www.theregister.co.uk/2008/10/24/spanish_enigmas/ Spanish discover cache of 26 Enigma machines Franco's 'secret weapon' tracked to army HQ By Lester Haines Posted in Science, 24th October 2008 10:03 GMT Spanish newspaper El Pa�s last week tracked down 26 examples of Franco's secret weapon against Republican forces in the country's civil war - a cache of perfectly-preserved Enigma machines hidden for years in a gloomy office in the army's main headquarters in Madrid. Nationalist forces led by Franco acquired their first ten Enigma machines from Germany in 1936. While Hitler had already decided to offer Franco his full support in the Spanish civil war, this didn't actually extend to the full-fat military versions of Enigma, and his Iberian ally had to make do with the vastly inferior commercial D model. The German High Command was apparently concerned that careless Spaniards might let the Republicans get their hands on an Enigma. Indeed, even Germany's Condor Legion - dispatched to Spain to aid the Nationalist cause - also reportedly used commercial Enigmas in the field. Nonetheless, the Republicans were never able to decipher Enigma communications between Franco and his top brass, and the machines' success led to further acquisitions. Commander Antonio Sarmiento, charged with training operators in Franco's Salamanca headquarters, enthusiastically reported in 1936: ?To give some idea of the level of security these machines offer, it's suffice to say that the number of possible combinations is an astounding 1,252,962,387,456.? The total number of machines eventually bought by Spain is unknown, although estimates vary from 30 to 50. They were not withdrawn from service until the early 1950s, which offers the rather agreeable possibility that the British were able to read the Spanish dictatorship's military communications while Franco remained blissfully unaware that his Nazi sponsors' device had been laid bare by Bletchley Park years before. Bootnote El Reg is, of course, supporting Bletchley Park and the National Museum of Computing with our splendid Enigma t-shirt. Get it before Cash'n'Carrion's free shipping offer ends on 31 October. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: combining entropy
On Sep 29, 2008, at 5:13 AM, IanG wrote: If I have N pools of entropy (all same size X) and I pool them together with XOR, is that as good as it gets? My assumptions are: * I trust no single source of Random Numbers. * I trust at least one source of all the sources. * no particular difficulty with lossy combination. It's within epsilon for a good many epsilon. I'm presuming you want the resultant size to be X, as well. Otherwise, the suggestion that Ben has, concatenation is obviously better, and you can solve obvious problems. Another solution is to hash the N pools together with a suitably secure function. (Most the available algorithms are suitably secure for this purpose.) The downside of this is that you are capping your entropy at the size of the hash function. It's better than XOR because it's not linear, blah, blah, blah. However, if you had three pools, each relatively large, it doesn't hurt anything to XOR them together. It's pretty easy to prove that the result does not decrease entropy, but I think it's impossible to prove that it increases it. XORing is really taking the max of the N pools. You have to realize that XOR is bad if there's a chance to leak the entropy pool, XOR is a bad function. If whoever produced pool X sees X^Y, then they know Y. But you know that, too. Jon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: combining entropy
On Fri, Oct 24, 2008 at 10:23:07AM -0500, Thierry Moreau wrote: Do you really trust that no single source of entropy can have knowledge of the other source's output, so it can surreptitiously correlate its own? I.e, you are are also assuming that these sources are *independent*. I do not think one means the other here. An omniscient malicious RNG source seems quite unlikely in most threat models. However that is a very different statement from saying that lacking such an attacker, you can safely assume your 'pools of entropy' (to quote the original question) are independent in the information-theoretic sense. Say you execute (on a Linux machine) two commands, like ifconfig -a and netstat -s (which print ASCII text with statistics about network interfaces and network protocols, resp), capturing the output as two of your entropy sources. Both have some amount of entropy (perhaps zero if an attacker is on the machine and runs his commands at the same time as yours - and perhaps quite a bit more if the local machine happens to be safe). But they are certainly not statistically independent! Information in one will be somewhat reflected in the other (packet counters), and of course at the macro level all your inputs have high bit unset, so if you combined via XOR your output will have at best .875 bits of entropy per bit. To address IanG's question more directly, my first thought would be to use something like the design Hugo Krawczyk describes in On Extract-then-Expand Key Derivation Functions and an HMAC-based KDF (http://www.ee.technion.ac.il/~hugo/kdf/kdf.pdf) or one of the related PRNG designs he references. Then use the output of the HMAC PRF to feed the DT vector of an X9.31 PRNG (using block cipher du jour), a trick AFAIK invented by Peter Gutmann which has always seemed like a good worst-case-scenario trick to me (for instance, if the code for the hash's compression function is miscompiled), though at the cost of extra code/design complexity (and thus points of failure) - as always there are tradeoffs to make. -Jack (IANAC) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: combining entropy
On 10/24/2008 01:12 PM, Jack Lloyd wrote: is a very different statement from saying that lacking such an attacker, you can safely assume your 'pools of entropy' (to quote the original question) are independent in the information-theoretic sense. The question, according to the original poster, is not whether it is safe to assume that one of the entropy sources can be trusted. Safe or not, the question explicitly assumed that one of the sources was trusted ... and asked what the consequences of that assumption would be. In particular, evidently the scenario was that we started with N high-entropy randomness generators, but N-1 of them have failed. One of them is still working, but we don't know which one. In that scenario, XOR is a good-enough combining function, and nothing else would be any better. If somebody wants to discuss a different scenario, please clarify what the new scenario is. Suggesting that the trusted source is correlated with one of the other sources is quite contrary to the requirements expressed in the original question. That is to say, if the source is not independent, it was never eligible to be a trusted entropy source. If you want to quantify this, write down the _joint_ probability distribution for all the sources, and calculate the entropy of that distribution in the usual way. 1) There is _one_ very precise meaning for entropy that is well-established and conventional across a wide range of fields ... everything from kitchen appliances to cosmology. http://www.av8n.com/physics/thermo-laws.htm#sec-relevance 2) Authors are allowed to define and redefine terms however they please ... _provided_ they define any nonstandard terms that they use. Anybody who takes a well-established standard term and uses it in a nonstandard way has a double-extra-special duty to explain what he's doing. I assume the original poster was using the term entropy in the conventional, precise sense ... and until I hear otherwise I will continue to do so. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: combining entropy
On Fri, Oct 24, 2008 at 03:20:24PM -0700, John Denker wrote: On 10/24/2008 01:12 PM, Jack Lloyd wrote: is a very different statement from saying that lacking such an attacker, you can safely assume your 'pools of entropy' (to quote the original question) are independent in the information-theoretic sense. The question, according to the original poster, is not whether it is safe to assume that one of the entropy sources can be trusted. Safe or not, the question explicitly assumed that one of the sources was trusted ... and asked what the consequences of that assumption would be. Perhaps our seeming disagreement is due to a differing interpretation of 'trusted'. I took it to mean that at least one pool had a min-entropy above some security bound. You appear to have taken it to mean that it will be uniform random? -Jack - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]