Re: crypto question
On Fri, 22 Mar 2002, Arnold G. Reinhold wrote: I'm not sure what changes in your argument if you delete the word physical. I don't think you understand what that means. I was responsible for a multi-campus (at the time the largest private system ever built) computer controlled real-time security system connected to the fire, telephone, video, and computer networks. This involves mag switches, PIR's, thermal, ultrasonic, microwave, mag stripe cards, etc. We even had a small reactor on campus as well as a couple of Gutenburg bibles that my group was partialy responsible for. Perhaps we should all just give up with this security nonsense. I'm not suggesting that at all. I -am- suggesting that one should never under estimate ones opponents. If you could build it, so can they. If they can build it they can spend time taking it apart. Do most security organizations or systems have those sorts of time/resources? My experience is they don't. The major issue is more one of responsibility/indemnity in conflict with time. The longer a system remains unbroken the more likely it is to be broken, the only significant caveat is if the system is updated and modified often enough. Then there is a data collection issue that limits what is -reasonable-. -- There is less in this than meets the eye. Tellulah Bankhead [EMAIL PROTECTED] www.ssz.com [EMAIL PROTECTED] www.open-forge.org - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Foghorn Fritz, the CBDTPA, and the revenge of the Wave-oids (Re: Secure peripheral cards)
At 5:04 PM -0500 on 3/23/02, R. A. Hettinga wrote: During the internet stock bubble, his investors, self-described Wave-oids, would haunt the investor web-chats and shout down anyone who talked about actual revenue as a short focused on the Next Big Thing in Entertainment Technology. I really gotta stop writing so fast. Let's try that again, and see if we can wring actual content out of it, shall we? :-) I should have said: During the internet stock bubble, his investors, self-described Wave-oids, would haunt the investor web-chats and shout down anyone who talked about Wave's actual lack of revenue as a short, trying to kill the Next Big Thing in Entertainment Technology. There. That's better. Sort of. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Neural network 'in-jokes' could pass secrets
Hello I'd be interested to know what people think of this story and whether anyone is aware of any similarly unusual encryption systems. Will. http://www.newscientist.com/news/news.jsp?id=ns2067 Neural network 'in-jokes' could pass secrets Artificial brains could use in-jokes to deliver secret messages, according to computer scientists. The technique relies on neural networks, computer systems designed to mimic the brain. Just as the brain's nerve cells are wired together in a complex mesh, neural nets consist of a web of electrical switches, or a computer simulation of these connections. Will Knight http://www.newscientist.com 151 Wardour Street London W1F 8WE Tel +44 (0)207 411 2688 Mob +44 (0)7905 863 625 PGP Key ID: 7F28A285 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto question
On Sun, 24 Mar 2002 [EMAIL PROTECTED] wrote: or just security proportional to risk ... random refs: There's a short coming with that view. In order to apply realistic metrics to what that risk is (eg 1 in 100 years) one must have systems being broken in order to vet it. It's one thing to state a axiom as you have done. It's a whole other one to apply it within a time schedule, budget, and general social setting. The three primary questions that occur when trying to give these real numbers become: - How long between services checks - How long between system upgrade/replacement - How have other systems stood up to intentional attacks The first is important to vet the continued opperation of an existing systems. The second is important in respect to opportunity to subvert and and the diffussion of 'classified' info out of controlled environments (eg robber's girlfriend is student...who applied for an internship...who copies the random page hither and yon...). And finaly this gives one a real graps of cost and 'friction' (to borrow a military term). A special note for three, this implies that at least some of the mechanisms of the same 'class' are(!) being broken. If not then one really has no way to make a metric. The only enginering answer is I don't know; I make the distinction between political and organizations needs and engineering ones. The vast majority of security mechanisms fail on several of these regularly. It's not intentional but unless you're running something with the dispcipline of a military base or prison you're going to have problems. I don't believe there are enough deliberate public attacks to make the third boundary condition relevant in most security situations. But on the flip side, most security situations are really overly sensitive to their probability. [1] [1] Which is probably a good thing for the industry :) -- There is less in this than meets the eye. Tellulah Bankhead [EMAIL PROTECTED] www.ssz.com [EMAIL PROTECTED] www.open-forge.org - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Math and crypto videos available at msri.org
--- begin forwarded text Status: U Date: Sat, 23 Mar 2002 23:27:03 -0800 Subject: Math and crypto videos available at msri.org From: Tim May [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] I've been enjoying the streaming video lectures available at www.msri.org. MSRI is the Mathematical Sciences Research Institute, which sits on a hill above UC Berkeley. MSRI is funded by NSF and other donors and has no apparent formal connection with UCB (that I can find). The streaming videos need RealPlayer, but a free version is readily available. The quality is only mediocre...the mathematicians are still using overhead transparencies with scrawled writing, and this doesn't pick up and show well, at least on my own RealPlayer setup. And I get the usual jerky video from my slow dial-up line, but at least the audio track is excellent. I haven't looked at the crypto lectures yet. Dan Bernstein has several of them, including on fast multiplication hardware for crypto. And the usual other mathematicians who do crypto are represented. (BTW, having such videos--hopefully with better quality than overhead projectors--might be an interesting option for the Crypto for T.C. Mits project some of you have been talking about. ) --Tim May The great object is that every man be armed and everyone who is able may have a gun. --Patrick Henry The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
1024-bit RSA keys in danger of compromise
As those of you who have discussed RSA keys size requirements with me over the years will attest to, I always held that 1024-bit RSA keys could not be factored by anyone, including the NSA, unless the opponent had devised novel improvements to the theory of factoring large composites unknown in the open literature. I considered this to be possible, but highly unlikely. In short, I believed that users' desires for keys larger than 1024-bits were mostly driven by a vague feeling that larger must be better in some cases, and by downright paranoia in other cases. I was mistaken. Based upon requests voiced by a number of attendees to this year's Financial Cryptography conference http:/www.fc02.ai, I assembled and moderated a panel titled RSA Factoring: Do We Need Larger Keys?. The panel explored the implications of Bernstein's widely discussed Circuits for Integer Factorization: a Proposal. http://cr.yp.to/papers.html#nfscircuit Although the full implications of the proposal were not necessarily immediately apparent in the first few days following Bernstein's publication, the incremental improvements to parts of NFS outlined in the proposal turn out to carry significant practical security implications impacting the overwhelming majority of deployed systems utilizing RSA or DH as the public key algorithms. Coincidentally, the day before the panel, Nicko van Someren announced at the FC02 rump session that his team had built software which can factor 512-bit RSA keys in 6 weeks using only hardware they already had in the office. A very interesting result, indeed. (While 512-bit keys had been broken before, the feasibility of factoring 512-bit keys on just the computers sitting around an office was news at least to me). The panel, consisting of Ian Goldberg and Nicko van Someren, put forth the following rough first estimates: While the interconnections required by Bernstein's proposed architecture add a non-trivial level of complexity, as Bruce Schneier correctly pointed out in his latest CRYPTOGRAM newsletter, a 1024-bit RSA factoring device can likely be built using only commercially available technology for a price range of several hundred million dollars to about 1 billion dollars. Costs may well drop lower if one has the use of a chip fab. It is a matter of public record that the NSA as well as the Chinese, Russian, French, and many other intelligence agencies all operate their own fabs. Some may consider a price tag potentially reaching $1B prohibitive. One should keep in mind that the NRO regularly launches SIGINT satellites costing close to $2B each. Would the NSA have built a device at less than half the cost of one of their satellites to be able to decipher the interception data obtained via many such satellites? The NSA would have to be derelict of duty to not have done so. Bernstein's machine, once built, will have power requirements in the MW to operate, but in return will be able to break a 1024-bit RSA or DH key in seconds to minutes. Even under the most optimistic estimates for present-day PKI adoption, the inescapable conclusion is that the NSA, its major foreign intelligence counterparts, and any foreign commercial competitors provided with commercial intelligence by their national intelligence services have the ability to break on demand any and all 1024-bit public keys. The security implications of a practical breakability of 1024-bit RSA and DH keys are staggering, since of the following systems as currently deployed tend to utilize keys larger than 1024-bits: - HTTPS - SSH - IPSec - S/MIME - PGP An opponent capable of breaking all of the above will have access to virtually any corporate or private communications and services that are connected to the Internet. The most sensible recommendation in response to these findings at this time is to upgraded your security infrastructure to utilize 2048-bit user keys at the next convenient opportunity. Certificate Authorities may wish to investigate larger keys as appropriate. Some CA's, such as those used to protect digital satellite content in Europe, have already moved to 4096-bit root keys. Undoubtedly, many vendors and their captive security consultants will rush to publish countless reasons why nobody is able to build such a device, would ever want to build such a device, could never obtain a sufficient number of chips for such a device, or simply should use that vendor's unbreakable virtual onetime pad technology instead. While the latter doesn't warrant comment, one question to ask spokespersons pitching the former is what key size is the majority of your customers using with your security product? Having worked in this industry for over a decade, I can state without qualification that anybody other than perhaps some of the HSM vendors would be misinformed if they claimed that the majority - or even a sizable minority - of their customers have deployed key sizes larger than 1024-bits through their organization. Which is not
