Re: [cryptography] Constitutional Showdown Voided as Feds Decrypt Laptop
On Wed, Feb 29, 2012 at 5:53 PM, James S. Tyre jst...@jstyre.com wrote: (This is the case in Colorado, not the 11th Circuit Court of Appeals case which has been much discussed of late.) http://www.wired.com/threatlevel/2012/02/decryption-flap-mooted Constitutional Showdown Voided as Feds Decrypt Laptop By David Kravets Email Author February 29, 2012 | 5:17 pm Colorado federal authorities have decrypted a laptop seized from a bank-fraud defendant, mooting a judge's order that the defendant unlock the hard drive so the government could use its contents as evidence against her. The development ends a contentious legal showdown over whether forcing a defendant to decrypt a laptop is a breach of the 5th Amendment right against compelled self incrimination. The authorities seized the encrypted Toshiba laptop from defendant Ramona Fricosu in 2010 with valid court warrants while investigating alleged mortgage fraud, and demanded she decrypt it. Colorado U.S. District Judge Robert Blackburn ordered the woman in January to decrypt the laptop by the end of February. The judge refused to stay his decision to allow Fricosu time to appeal. They must have used or found successful one of the passwords the co-defendant provided them, Fricosu's attorney, Philip Dubois, said in a telephone interview Wednesday. Perhaps Fricosu reused a password and was on a mailing list using Mailman... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Certificate Transparency: working code
http://www.links.org/?p=1226 Certificate Transparency: Spec and Working Codehttp://www.links.org/?p=1226 Quite a few people have said to me that Certificate Transparency (CT) sounds like a good idea, but they’d like to see a proper spec. Well, there’s been one of those for quite a while, you can find the latest version in the code repositoryhttp://code.google.com/p/certificate-transparency/source/browse/doc/sunlight.xml, or for your viewing convenience, I just made an HTML versionhttp://www.links.org/files/sunlight.html . Today, though, to go with that spec, I’m happy to announce working codehttp://code.google.com/p/certificate-transparency/ for a subset of the protocol. This covers the trickiest part – a fully backwards compatible SSL handshake between servers and clients. The rest of the protocol will necessarily all be new code for interacting with the log server and other new components, and so should not have these issues. If you build the code according to the READMEhttp://code.google.com/p/certificate-transparency/source/browse/src/README, then you will find instructions in test/READMEhttp://code.google.com/p/certificate-transparency/source/browse/src/test/README for the demo. What this does, in short, is the following: - Run a CT log server. Currently this has no persistence across runs, but does keep a full log in memory. - Issue a self-signed server certificate. A CA issued certificate would also be fine, but not so easy to automate for a demo. - Use the CT client to register that certificate with the log server and to obtain a log proof for it. - Use the CT client to convert that proof into a fake “certificate” which can be included in the certificate chain in the TLS handshake. - Run an Apache 2.2 instance to serve the self-signed certificate and the log proof certificate. Note that Apache is unmodified, all that is needed is appropriate configuration. - Use the CT client to connect to the Apache instance and verify the presented log proof. - You can also connect to Apache with an existing browser to check that you can still access the site despite the presence of the log proof. There’s plenty more to be done, but this is the part that needs the earliest scrutiny, since we are bending the rules to get back compatibility and avoid the need to change server software. Client software has to change anyway to provide any benefit to users, so that’s less of a worry. We welcome discussion, suggestions and questions on the mailing listhttps://groups.google.com/group/certificate-transparency . ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Certificate Transparency: working code
Ben Laurie wrote: http://www.links.org/?p=1226 Quite a few people have said to me that Certificate Transparency (CT) sounds like a good idea, but they’d like to see a proper spec. Well, there’s been one of those for quite a while, you can find the latest version [...], or for your viewing convenience, I just made an HTML version http://www.links.org/files/sunlight.html. May I ask a (maybe stupid) question? ... audit proofs will be valid indefinitely ... Then what remains of the scheme reputation once Mallory managed to inject a fraudulent certificate in whatever is being audited (It's called a log but I understand it as a grow-only repository)? Actually, my expectation would be to read an explanation of which security services are being offered, and which kind and level of assurance the CT server operating organization is expected to provide. What is the problem being addressed and to who does the main benefit accrue / from whom involvement is expected? Once I can see these, I may appreciate Apache and browser backward compatibility features and the like. Thanks for your patience with my scrutiny. -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, QC, Canada H2M 2A1 Tel. +1-514-385-5691 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Certificate Transparency: working code
On 2012-03-02 7:14 AM, Thierry Moreau wrote: Then what remains of the scheme reputation once Mallory managed to inject a fraudulent certificate in whatever is being audited (It's called a log but I understand it as a grow-only repository)? Suppose an Iranian CA were to issue certificate for a US site. The US site would readily discover it, causing such grave embarrassment for the Iranian CA that they would probably refrain. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Constitutional Showdown Voided as Feds Decrypt Laptop
On Thu, Mar 1, 2012 at 5:49 PM, Steven Bellovin s...@cs.columbia.edu wrote: On Mar 1, 2012, at 4:33 12PM, Nico Williams wrote: On Thu, Mar 1, 2012 at 3:22 PM, Randall Webmail rv...@insightbb.com wrote: From: Jeffrey Walton noloa...@gmail.com Perhaps Fricosu reused a password and was on a mailing list using Mailman... Yeah - what's the deal with Mailman sending the password in clear-text, once a month? Did anyone really think that was a good idea? Was it a tradeoff between security and help desk support costs? What other reason could there be? Mailman passwords are of very low value. Precisely correct. The security mechanism is commensurate with the general risk. And if you're running that high-value a mailing list, you simply disable that feature. Low value to whom? Considering all the password reuse, some (such as the bad guys) would consider the username/password list high value. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Constitutional Showdown Voided as Feds Decrypt Laptop
IOW, I doubt mailman is how they got Fricosu's password. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Constitutional Showdown Voided as Feds Decrypt Laptop
On 2012-03-01 8:53 AM, James S. Tyre wrote: The authorities seized the encrypted Toshiba laptop from defendant Ramona Fricosu in 2010 with valid court warrants while investigating alleged mortgage fraud, and demanded she decrypt it. Colorado U.S. District Judge Robert Blackburn ordered the woman in January to decrypt the laptop by the end of February. The judge refused to stay his decision to allow Fricosu time to appeal. They must have used or found successful one of the passwords the co-defendant provided them, Fricosu's attorney, Philip Dubois, said in a telephone interview Wednesday. What one man knows, no one knows, what two men know, everyone knows. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Constitutional Showdown Voided as Feds Decrypt Laptop
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 s/are/our/ grrr... :-) - - -- ___ Jeffrey I. Schiller MIT Technologist, Consultant, and Cavy Breeder Cambridge, MA 02139-4307 617.910.0259 - Voice j...@qyv.net http://jis.qyv.name ___ - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFPUCBa8CBzV/QUlSsRAltxAJwPgKaSNEMhRJJ3dOUr29Tq1vT2bwCgggla Ew6HH+WhiaNj2QMj+lmXHok= =B3Cs - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPUCCN8CBzV/QUlSsRAuNFAJ9LI2MkEA8UrifmPI0DwC81db6jhQCfdNRJ /PrCjjWaXXosN6+mRoTtyiY= =0+8y -END PGP SIGNATURE- smime.p7s Description: S/MIME Cryptographic Signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Constitutional Showdown Voided as Feds Decrypt Laptop
On Mar 1, 2012, at 8:18 32PM, Jeffrey I. Schiller wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/01/2012 06:09 PM, Nico Williams wrote: I let mailman generate passwords. And I never use them, much less re-use them. Well, I do use them when I need to change e-mail addresses, which happens very rarely, and then I start by asking mailman to send my my passwords because I don't remember them -- I've done this like once in the past decade. Perhaps mailman should be changed to require you to use its generated passwords, or better yet, to only generate a password when you ask it to send you your password, and then invalidate it after a few days. So it isn't really a password but a thunk of limited value. In this fashion we can be more assured that people aren't re-using passwords with mailman. Because... you and I may know better... the manager at the bank where are money is stored (or the doctors office where our medical records are located) may not know better... ;-) (typo corrected above.) Not a bad idea, though I'm not certain it's worth it. Fortunately, since the default is for it to auto-generate its passwords, they're not likely to be used elsewhere. I'd wager long odds that most people never even use that password. (And the bank or the doctor's office? They're not using mailman, because it would take a sysadmin to install it for them...) In an ideal world, perhaps this isn't necessary. Mailman would somehow learn everyone's email public key, to send passwords encrypted. Alternatively, it could somehow learn your web public key -- an in particular, the one you use for this mailing list -- and use it to verify the client-side cert you use to log in to this particular mailing list. (It can't be just any cert you have, since of course you have many of them to avoid being tracked.) Better yet, it could do a remote read on your /dev/brain and *know* when you wanted to log in, weren't under duress, etc. I regard that as about as likely as the public key alternatives, at least if we're sticking to the real world. Turning back to your specific suggestion: that sets the security of your mailman account to the security of your email account. Of course, that's what the current scheme does. The secret is valid for longer, but I'm not convinced that that matters all that much. --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] cryptography Digest, Vol 25, Issue 3
___ - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFPUCBa8CBzV/QUlSsRAltxAJwPgKaSNEMhRJJ3dOUr29Tq1vT2bwCgggla Ew6HH+WhiaNj2QMj+lmXHok= =B3Cs - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPUCCN8CBzV/QUlSsRAuNFAJ9LI2MkEA8UrifmPI0DwC81db6jhQCfdNRJ /PrCjjWaXXosN6+mRoTtyiY= =0+8y -END PGP SIGNATURE- -- next part -- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4881 bytes Desc: S/MIME Cryptographic Signature URL: http://lists.randombit.net/pipermail/cryptography/attachments/20120301/97b82e64/smime.p7s -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography End of cryptography Digest, Vol 25, Issue 3 *** ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] cryptography Digest, Vol 25, Issue 2
From: cryptography-requ...@randombit.net Subject: cryptography Digest, Vol 25, Issue 2 To: cryptography@randombit.net Date: Thu, 1 Mar 2012 17:04:14 -0500 Send cryptography mailing list submissions to cryptography@randombit.net To subscribe or unsubscribe via the World Wide Web, visit http://lists.randombit.net/mailman/listinfo/cryptography or, via email, send a message with subject or body 'help' to cryptography-requ...@randombit.net You can reach the person managing the list at cryptography-ow...@randombit.net When replying, please edit your Subject line so it is more specific than Re: Contents of cryptography digest... Today's Topics: 1. Re: Constitutional Showdown Voided as Feds Decrypt Laptop (Jeffrey Walton) 2. Certificate Transparency: working code (Ben Laurie) 3. Re: Certificate Transparency: working code (Thierry Moreau) 4. Re: Constitutional Showdown Voided as Feds Decrypt Laptop (Randall Webmail) 5. Re: Certificate Transparency: working code (Nico Williams) 6. Re: Constitutional Showdown Voided as Feds Decrypt Laptop (Nico Williams) 7. Re: Certificate Transparency: working code (James A. Donald) -- Message: 1 Date: Thu, 1 Mar 2012 12:02:32 -0500 From: Jeffrey Walton noloa...@gmail.com To: James S. Tyre jst...@jstyre.com Cc: cryptography@randombit.net Subject: Re: [cryptography] Constitutional Showdown Voided as Feds Decrypt Laptop Message-ID: cah8yc8kc9uffayx3n5ytbgvcmmgwkplndsf3vbj39tepwzx...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 On Wed, Feb 29, 2012 at 5:53 PM, James S. Tyre jst...@jstyre.com wrote: (This is the case in Colorado, not the 11th Circuit Court of Appeals case which has been much discussed of late.) http://www.wired.com/threatlevel/2012/02/decryption-flap-mooted Constitutional Showdown Voided as Feds Decrypt Laptop ? ?By David Kravets ? ?Email Author ? ?February 29, 2012 | ? ?5:17 pm Colorado federal authorities have decrypted a laptop seized from a bank-fraud defendant, mooting a judge's order that the defendant unlock the hard drive so the government could use its contents as evidence against her. The development ends a contentious legal showdown over whether forcing a defendant to decrypt a laptop is a breach of the 5th Amendment right against compelled self incrimination. The authorities seized the encrypted Toshiba laptop from defendant Ramona Fricosu in 2010 with valid court warrants while investigating alleged mortgage fraud, and demanded she decrypt it. Colorado U.S. District Judge Robert Blackburn ordered the woman in January to decrypt the laptop by the end of February. The judge refused to stay his decision to allow Fricosu time to appeal. They must have used or found successful one of the passwords the co-defendant provided them, Fricosu's attorney, Philip Dubois, said in a telephone interview Wednesday. Perhaps Fricosu reused a password and was on a mailing list using Mailman... -- Message: 2 Date: Thu, 1 Mar 2012 19:17:51 + From: Ben Laurie b...@links.org To: Crypto discussion list cryptography@randombit.net Subject: [cryptography] Certificate Transparency: working code Message-ID: cag5kpzz__renbn2byqob7wmqtmedqdn8y_axwpifccwm3k2...@mail.gmail.com Content-Type: text/plain; charset=windows-1252 http://www.links.org/?p=1226 Certificate Transparency: Spec and Working Codehttp://www.links.org/?p=1226 Quite a few people have said to me that Certificate Transparency (CT) sounds like a good idea, but they?d like to see a proper spec. Well, there?s been one of those for quite a while, you can find the latest version in the code repositoryhttp://code.google.com/p/certificate-transparency/source/browse/doc/sunlight.xml, or for your viewing convenience, I just made an HTML versionhttp://www.links.org/files/sunlight.html . Today, though, to go with that spec, I?m happy to announce working codehttp://code.google.com/p/certificate-transparency/ for a subset of the protocol. This covers the trickiest part ? a fully backwards compatible SSL handshake between servers and clients. The rest of the protocol will necessarily all be new code for interacting with the log server and other new components, and so should not have these issues. If you build the code according to the READMEhttp://code.google.com/p/certificate-transparency/source/browse/src/README, then you will find instructions in test/READMEhttp://code.google.com/p/certificate-transparency/source/browse/src/test/README for the demo. What this does, in short, is the following: - Run a CT log server. Currently this has no persistence across runs, but does keep a full log in memory. - Issue a self-signed
[cryptography] The NSA and secure VoIP
http://www.scmagazine.com.au/News/292189,nsa-builds-android-phone-for-top-secret-calls.aspx makes for interesting reading. I was particularly intrigued by this: Voice calls are encrypted twice in accordance with NSA policy, using IPSEC and SRTP, meaning a failure requires “two independent bad things to happen,” Salter said. Margaret Salter is the head of the Information Assurance Directorate of the NSA. --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The NSA and secure VoIP
On Thu, 1 Mar 2012, Jeffrey Walton wrote: On Thu, Mar 1, 2012 at 10:27 PM, Steven Bellovin s...@cs.columbia.edu wrote: http://www.scmagazine.com.au/News/292189,nsa-builds-android-phone-for-top-secret-calls.aspx makes for interesting reading. I was particularly intrigued by this: Voice calls are encrypted twice in accordance with NSA policy, using IPSEC and SRTP, meaning a failure requires “two independent bad things to happen,” Salter said. Margaret Salter is the head of the Information Assurance Directorate of the NSA. Interesting. I seem to recall that cascading ciphers is frowned upon on sci.crypt. I wonder if this is mis-information Yes, I've had that beaten into my head from books/talks/posts forever now, but I never quite understood it. If the end result of your ciphertext has headers or metadata that can be used for known-plaintext attack, then it makes sense, but if you are just feeding raw ciphertext into the next algorithm, it shouldn't be a danger... right ?___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The NSA and secure VoIP
On Thu, Mar 1, 2012 at 7:31 PM, Jeffrey Walton noloa...@gmail.com wrote: ... Interesting. I seem to recall that cascading ciphers is frowned upon on sci.crypt. I wonder if this is mis-information you've got a single cipher suite applied for a given transport layer, but two layers of protection applied for defense in depth of the voice channel. seems pretty sane to me. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The NSA and secure VoIP
On Thu, Mar 01, 2012 at 09:08:54PM -0800, coderman wrote: On Thu, Mar 1, 2012 at 7:31 PM, Jeffrey Walton noloa...@gmail.com wrote: ... Interesting. I seem to recall that cascading ciphers is frowned upon on sci.crypt. I wonder if this is mis-information you've got a single cipher suite applied for a given transport layer, but two layers of protection applied for defense in depth of the voice channel. seems pretty sane to me. They are also two separate protocols, so if one is found to be vulnerable to an attack, the other one will hopefully not suffer the exact same problem. Also, keep in mind that voice can be analyzed statistically, so I wouldn't be surprised if the second layer is put in to also minimize possible attacks such as the one against Skype. -- Nasko Oskov A hacker does for love what others would not do for money. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography