Re: [cryptography] skype backdoor confirmation
Danilo Gligoroski danilo.gligoro...@gmail.com wrote: 1. Indeed these discussions among the security community 2. Eventually some contacts with journalists will help the cause (one live demonstration on some security/crypto conference like Usenix, Black Hat, Crypto, ... will do the job). 3. I see a chance for some other product like: Zfone (that never took significant popularity),maybe Pidgin, maybe Cryptocat, ... 4. Even some open source security plugin for Skype. My two cents: 4a: A SSH Java open source wrapper around Skype will do the job. The chat logs or any other traffic that Skype is leaking to some Echelon-like spying sites will be externally encrypted by the SSH wrapper. Regards, David ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On Thu, May 23, 2013 at 09:38:18AM +0200, David Adamson wrote: Danilo Gligoroski danilo.gligoro...@gmail.com wrote: 1. Indeed these discussions among the security community 2. Eventually some contacts with journalists will help the cause (one live demonstration on some security/crypto conference like Usenix, Black Hat, Crypto, ... will do the job). 3. I see a chance for some other product like: Zfone (that never took significant popularity),maybe Pidgin, maybe Cryptocat, ... 4. Even some open source security plugin for Skype. My two cents: 4a: A SSH Java open source wrapper around Skype will do the job. The chat logs or any other traffic that Skype is leaking to some Echelon-like spying sites will be externally encrypted by the SSH wrapper. To move this thread a bit sideways, does anyone know whether Hangout claims to be end to end secure? Considering that Google is dropping XMPP support, I'm investigating other options, e.g. Jitsi. Has there been a security review for Jitsi? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Certificate expiry reminder tool?
Dear all, is anyone of you aware of a (preferably open source) tool that keeps a database of certificates and sends e-mail reminders about the impending expiry (and hence the probable necessity of a renewal) to configurable e-mail address of the respective responsible person? Regards, Hans-Joachim. -- 5. Tag der IT-Sicherheit - 04.07.2013, IHK Karlsruhe Infos und Anmeldung: http://www.tag-der-it-sicherheit.de Hans-Joachim Knobloch Security Consulting Secorvo Security Consulting GmbH Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-305, Fax +49 721 255171-100 hans-joachim.knobl...@secorvo.de, http://www.secorvo.de PGP: A766 A23F 1079 3075 DF18 56E0 F61F A8F8 Mannheim HRB 108319, Geschäftsführer: Dirk Fox ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Certificate expiry reminder tool?
Dear Hans-Joachim, Oddly, there is in fact one, which “suddenly” appeared on my servers and which is nagging me currently about a soon-to-expire certificate. It sends out daily mails to root@host.domain with detailed information. It's called certwatch and is at least shipped with fedora. It can be configured to send the mail to another address. It, however, natively only works for apache httpd certificates, by scanning the httpd config. It might be possible to give it options for different sources of certificates though. Maybe it's a starting point. good luck, Jonas ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Certificate expiry reminder tool?
A generic solution is any kind of scheduler/calendar/reminder, right? Or what kind of tool to you imagine, and how is that specific to crypto? On 23.05.2013 16:05, Hans-Joachim Knobloch wrote: Dear all, is anyone of you aware of a (preferably open source) tool that keeps a database of certificates and sends e-mail reminders about the impending expiry (and hence the probable necessity of a renewal) to configurable e-mail address of the respective responsible person? Regards, Hans-Joachim. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Certificate expiry reminder tool?
Also be aware of the caveat that if you have a VIP with SSL termination behind it (i.e. on the hosts) and the CN points to the VIP you will be hitting only one of the many servers when doing verification. Same story with geo load balancing. It gets worse with active-passive deployments since you may change the active (which you are probing) and when it fails and you automatically fall back to the backup you may find it with broken certificates. So make sure you test all resources that have the certificate and not just the resource that the CN resolves to. Cheers, Krassi On Thu, May 23, 2013 at 8:18 AM, Moritz mor...@headstrong.de wrote: A generic solution is any kind of scheduler/calendar/reminder, right? Or what kind of tool to you imagine, and how is that specific to crypto? On 23.05.2013 16:05, Hans-Joachim Knobloch wrote: Dear all, is anyone of you aware of a (preferably open source) tool that keeps a database of certificates and sends e-mail reminders about the impending expiry (and hence the probable necessity of a renewal) to configurable e-mail address of the respective responsible person? Regards, Hans-Joachim. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On Mon, May 20, 2013 at 1:50 PM, Mark Seiden m...@seiden.com wrote: On May 20, 2013, at 1:18 PM, Nico Williams n...@cryptonector.com wrote: Corporations are privacy freaks. I've worked or consulted for a number of corporations that were/are extremely concerned about data exfiltration. this is completely dependent on context -- the kind of company, the communicants involved, the regulatory environment, the material being conveyed. the variability is about as high as for natural persons, i reckon. Yes, but there's always a need for privacy protection, and it's always well-justified and reasonable. And it's common to default to privacy protection. particularly in financial services, firms try to record and retain all of the communication with their customers in any channel. if they can't record it, they don't want to hear it (e.g. trading instructions sent via IM…) Recording is one thing, but those recordings still need privacy protection. Customer data is treasured. I'd not advise such corporations to use Skype without an agreement with Skype as to what can/does happen to the their data, or else to be very careful about what is exchanged over Skype. And it does happen that sometimes a corporation's employees need to communicate with people over Skype or similar *external* systems. you can advise whatever you fancy, but skype, google, microsoft are unlikely to agree to any such thing unless your client is a Really Big company who pays them a lot of money. and why should they even bother their lawyers? pretty much, their service Is What it Is, take it or leave it. Contracts are contracts. Especially if you pay for a service and privacy protection is stipulated, then the service provider has civil liability. And if you have the pocket depth for a lawsuit you have a good chance of getting said privacy protection, though not likely in relation to LEA (that depends on applicable laws and how much LEA respects them). of course, your clients are free to use some other service that provides what they're looking for or… do it themselves, which gives them total control and the high costs that go with that. Correct. But it's not always easy. People can write their own mobile apps, but that's expensive, and you still get to concern yourself with whether the device vendor can MITM you through the app store. Fortunately HTML5 is making as-good-as-native apps possible for mobiles. Beyond corporations, individuals absolutely have a right to private communications with their lawyers, etc... And there need not be any criminal or civil liability for an individual to hide. For example, if I were trying to patent something, I'd want my communications with my lawyer kept secret. oh, have you looked into how your lawyer receives your email? probably they host with the likes of google or some other outsourcer, because they're in the business of law, not IT. I'm aware. I send sensitive documents to them via other methods, or encrypted over e-mail and then give them the passphrase out of band. do you use how they receive their email as a criterion for how you choose your patent lawyer? No. I assume e-mail is public and refrain from sending sensitive information that way. last time i looked, the ABA does not require anything unusual, such as encryption, for privileged communcation. That's because there's no real, workable e-mail encryption solution, not one that lawyers and their typical clients can use easily. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
Jitsi is XMPP or SIP. For the text-part, they have built-in support for OTR. Otherwise, there is no end-to-end secrecy as far as I know. For voicecalls, they have something similar, with some shared-secret verification which is validated using the text-channel, which is best secured with OTR I guess. I know of no throughout reviews of their model though. regards, Jonas ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
They have implemented ZRTP for end to end security. It works with a diffie hellman key exchange, while protecting against man-in-the-middle attackers by comparing Short Authentication Strings (SAS). When you know the voice of the other person you can exclude Eve. see https://jitsi.org/Documentation/ZrtpFAQ Regards Dominik On 23.05.2013 20:01, Jonas Wielicki wrote: Jitsi is XMPP or SIP. For the text-part, they have built-in support for OTR. Otherwise, there is no end-to-end secrecy as far as I know. For voicecalls, they have something similar, with some shared-secret verification which is validated using the text-channel, which is best secured with OTR I guess. I know of no throughout reviews of their model though. regards, Jonas ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
can someone give a few lines of explanation on how the Retained shared Secret (RS) is used in ZRTP? second, is it possible for an attacker to force an RS validation error (e.g. simulating network connection error by having a router drop packets) and then MiTM the DH handshake? the SAS is only 4 characters. presumably this is ascii so 2^27 = 531441 possibilities. On average the active MiTM attacker would need to try only half of them (real time) to find a collision. Do parties first commit (e.g. send H(N,g^x)) prior to sending their g^x to avoid the latter problem? If so, then what's the use of the SAS? Sorry if all those questions are trivial... Wasa On 23/05/2013 19:05, Dominik Schürmann wrote: They have implemented ZRTP for end to end security. It works with a diffie hellman key exchange, while protecting against man-in-the-middle attackers by comparing Short Authentication Strings (SAS). When you know the voice of the other person you can exclude Eve. see https://jitsi.org/Documentation/ZrtpFAQ Regards Dominik On 23.05.2013 20:01, Jonas Wielicki wrote: Jitsi is XMPP or SIP. For the text-part, they have built-in support for OTR. Otherwise, there is no end-to-end secrecy as far as I know. For voicecalls, they have something similar, with some shared-secret verification which is validated using the text-channel, which is best secured with OTR I guess. I know of no throughout reviews of their model though. regards, Jonas ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 About the SAS: ZRTP uses a so called Hash Commitment with traditional Hashes before generating SAS values for voice comparison. See http://zfone.com/docs/ietf/rfc6189bis.html#HashCommit The use of hash commitment in the DH exchange constrains the attacker to only one guess to generate the correct Short Authentication String (SAS) in his attack, which means the SAS can be quite short. A 16-bit SAS, for example, provides the attacker only one chance out of 65536 of not being detected. Without this hash commitment feature, a MiTM attacker would acquire both the pvi and pvr public values from the two parties before having to choose his own two DH public values for his MiTM attack. He could then use that information to quickly perform a bunch of trial DH calculations for both sides until he finds two with a matching SAS. To raise the cost of this birthday attack, the SAS would have to be much longer. The Short Authentication String would have to become a Long Authentication String, which would be unacceptable to the user. A hash commitment precludes this attack by forcing the MiTM to choose his own two DH public values before learning the public values of either of the two parties. Regards Dominik On 23.05.2013 20:59, Wasabee wrote: can someone give a few lines of explanation on how the Retained shared Secret (RS) is used in ZRTP? second, is it possible for an attacker to force an RS validation error (e.g. simulating network connection error by having a router drop packets) and then MiTM the DH handshake? the SAS is only 4 characters. presumably this is ascii so 2^27 = 531441 possibilities. On average the active MiTM attacker would need to try only half of them (real time) to find a collision. Do parties first commit (e.g. send H(N,g^x)) prior to sending their g^x to avoid the latter problem? If so, then what's the use of the SAS? Sorry if all those questions are trivial... Wasa On 23/05/2013 19:05, Dominik Schürmann wrote: They have implemented ZRTP for end to end security. It works with a diffie hellman key exchange, while protecting against man-in-the-middle attackers by comparing Short Authentication Strings (SAS). When you know the voice of the other person you can exclude Eve. see https://jitsi.org/Documentation/ZrtpFAQ Regards Dominik On 23.05.2013 20:01, Jonas Wielicki wrote: Jitsi is XMPP or SIP. For the text-part, they have built-in support for OTR. Otherwise, there is no end-to-end secrecy as far as I know. For voicecalls, they have something similar, with some shared-secret verification which is validated using the text-channel, which is best secured with OTR I guess. I know of no throughout reviews of their model though. regards, Jonas ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJRnmn+AAoJEHGMBwEAASKCDP8H/id2iQhe53uzeZH20K89mcKd 44WWMUkyo9MROK5nH2/7B+KhrWQVLTqeToE3SqfwSBnQiBde+CY2lPnDgvN+M1ax 8p6ES2umbgHXM9Cg9qzW+AKEW7QmoyeaVu4f6g9zsrJDOMzx9XjWLoKQjKgjNL89 Bw1rVbFKoZEmT/XzEBrzm8UyxyYClXQvOe5XQ8o5ICeMKvCwFCCmKDMFjMyDsInf 2x+mxJqoImntWKQp9SigdLIxQ0upt3zK0XsvSKbSB6eupLgv6SpgiUsP1MWFk9ML q0dzom+A5BS8E8UD5GOXUunOCAGZNhoLAGPgEZkgeyl6pEmV/bQW35VeGHDqge0= =uVm2 -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Certificate expiry reminder tool?
On 2013-05-23 17:47:13 +0200 (+0200), Hans-Joachim Knobloch wrote: [...] Maybe I would even start a project to develop such a tool. But why start coding if there already is a =80% solution to the problem? Hence my request. [...] Did this for years with Nagios (formerly Netsaint), using the check_ssl_cert plugin. Technically speaking Nagios plugins are just simple command-line utilities, so you could call that plugin with the appropriate command-line options from a cron job, rely on cron to E-mail you the output on warning/critical condition. Of course it doesn't have any built-in scanning or automatic discovery of contact addresses from the cert material, but for =80% of use cases none of that is necessary. http://exchange.nagios.org/directory/Plugins/Network-Protocols/HTTP/check_ssl_cert/details -- { PGP( 48F9961143495829 ); FINGER( fu...@cthulhu.yuggoth.org ); WWW( http://fungi.yuggoth.org/ ); IRC( fu...@irc.yuggoth.org#ccl ); WHOIS( STANL3-ARIN ); MUD( kin...@katarsis.mudpy.org:6669 ); } ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On 2013-05-23 3:28 AM, Florian Weimer wrote: * Adam Back: If you want to claim otherwise we're gonna need some evidence. https://login.skype.com/account/password-reset-request This is impossible to implement with any real end-to-end security. Skype's claim was that it was end to end, except for the possibility of man in the middle attack by Skype, and only by Skype. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography