Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
At 11:17 AM -0700 10/21/05, someone who can't afford a vowel, Alex, ;-) expressed his anal glands thusly in my general direction: You're such an asshole. My, my. Tetchy, this morning, oh vowelless one... At 11:17 AM -0700 10/21/05, cyphrpunk wrote: This is what you characterized as a unitary global claim. Aside from the fact that unitary is meaningless in this context, his claim was far from global. That's One size fits all, for those of you in Rio Linda. A little bit of an Irwin Corey joke for the apparently humor-impaired. Be careful now, I'll start on the Norm Crosby stuff soon, and you might get an aneurysm, or something. While Daniel Nagy has been a model of politeness and modesty in his claims here, you have reverted to your usual role as an arrogant bully. Moi? I kick sand in your face on a beach somewhere I don't remember about? Seriously, I tell him who did an exchange protocol, Silvio Micali, and that they're a dime a dozen, second only to Mo' An' Better Auction Protocols, and he wants me to go out on google, same as *he* can do, and do his work for him. Feh. At 11:17 AM -0700 10/21/05, cyphrpunk wrote: I would encourage Daniel not to waste any more time interacting with Hettinga. Indeed. Especially when he makes with the wet-fish slapping-sounds you do when actual words are supposed to come out of your mouth. Okay, maybe it's another orifice. At any rate, you are lacking some, shall we say, ability to express yourself, on the subject. Be careful, though. Burroughs has this great cautionary tale about teaching your asshole to talk, speaking of the, heh, devil... Cheers, RAH Who'll start in on insulting his mother soon, unless Mr. cyphrpunk has taken that Charles Atlas course he send out for. Hint: Be grateful you don't have any nipple-hair to get caught in the NEW IMPROVED Charles Atlas Chest Expander's springs. Hurts like hell, I hear, and deadlifts work *much* better... -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Judy Miller needing killing
The question is, can she defy a subpoena based on membership in the privileged Reporter class that an ordinary person could not defy? It seems like the real question is how membership in the class is determined. If anyone who's acting like a reporter in a certain context (say, Adam Shostack interviewing me for his blog) qualifies, then I don't see the constitutional problem, though it may still be good or bad policy. If you've got to get a special card from the government that says you're a journalist, it seems like that's more of a problem. I guess other places where there's some right not to answer these questions exist, but they're mostly based on licensed professions. I gather your lawyer or priest has much more ability to refuse to talk than your doctor or accountant, and that your psychologist has a shockingly small ability to refuse to talk. Other than priest, though, all these fields are at least somewhat licensed by the state for other reasons, so that makes it easy to use possession of a license as a way to tell when someone really is a doctor, lawyer, psychologist, etc. For constitutional reasons, that's not really true for journalists. GH --John
[EMAIL PROTECTED]: Skype security evaluation]
- Forwarded message from Steven M. Bellovin [EMAIL PROTECTED] - From: Steven M. Bellovin [EMAIL PROTECTED] Date: Sun, 23 Oct 2005 09:48:37 -0400 To: cryptography@metzdowd.com Subject: Skype security evaluation X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 Skype has released an external security evaluation of its product; you can find it at http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf (Skype was also clueful enough to publish the PGP signature of the report, an excellent touch -- see http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf.sig) The author of the report, Tom Berson, has been in this business for many years; I have a great deal of respect for him. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
Re: [EMAIL PROTECTED]: Skype security evaluation]
That's a fairly interesting review, and Skype should be commended for
hiring someone to do it. I hope to see more evaluations from vendors
in the future.
However, I have a couple of suggestions.
My understanding of the peer-to-peer key agreement protocol (hereafter
p2pka) is based on section 3.3 and 3.4.2 and is something like this:
A - B: N_ab
B - A: N_ba
B - A: Sign{f(N_ab)}_a
A - B: Sign{f(N_ba)}_b
A - B: Sign{A, K_a}_SKYPE
B - A: Sign{B, K_b}_SKYPE
A - B: Sign{R_a}_a
B - A: Sign{R_b}_b
Session key SK_AB = g(R_a, R_b)
0) The p2pka allows us to use a peer as a signing oracle for nonces by
performing steps 1 through 4. Only the one-wayness of f (specified
only as modified in a standard way) stands in the way of arbitrary
forgery, which would allow us to bypass the security on steps 3, 4, 7,
and 8. It would not stop us from knowing the session key, since there
is no restriction on the form of R_a or R_b.
1) It's not clear that the identity certificates are bound to a
[externally visible] network [source] address at registration time.
IMHO, this would be a good idea.
2) He implicitly ignores the fact that the skype key is a trusted CA,
so skype can impersonate anyone (or delegate that impersonation by
signing a bogus ID). This is obvious to a cryptographer but should be
mentioned for the layperson. An evaluation should explicitly specify
who must be trusted by whom, and everyone must trust the Skype
registrar.
3) It looks like the peer-to-peer communication involves the same key,
SK_AB, in both directions, opening the door for keystream re-use, but
there's 64 bits of presumably random salt so it shouldn't be very
common.
Vagueness:
1) They use an unencrypted 2-byte CRC on each packet between peers.
Undetected modification to a packet is possible, since the CRC is
computed over the encrypted data and stored en clair. In this case,
arbitrary bits can be flipped, the CRC recomputed, and no future
packets depend on the current packet, so there's no tell-tale garbling
afterwards like there is in most other block modes. He alludes to
this in section 3.4.4 but doesn't really specify the impact, merely
compares it to WEP.
2) The session established with the Skype server during registration
is protected with a 256-bit key, which is random, but he doesn't say
how the client and Skype agree on it.
3) It's not clear why they used rc4 instead of ICM to generate key
material, but at least it's not being used for confidentiality.
4) The details of the random number generation are vague (makes a
number of win32 calls).
5) The details of the SK_AB key composition are vague (combined in a
cryptographically-sound way), shown by g in the p2pka above.
6) It doesn't say who sends the nonces first --- is it the recipient
of the connection, or the initiator? Can we DoS people by repeated
connections triggering digital signatures?
7) It doesn't say whether it's a TCP or UDP protocol, what ports it
uses, etc. I'm curious if it will work through NAT at both ends.
8) The skype server's timeout on login passwords can be used for a
denial-of-service against the registration protocol and doesn't affect
username guessing (fixed password variable username, a/k/a reverse
hack).
9) It doesn't specify how the salts used in ICM mode are communicated.
10) It doesn't specify how streams are created and numbered.
It'd be nice to see the protocol clearly specified and analyzed via
automated means (finite state analysis via murphy, etc.).
Obsession with performance:
He makes no fewer than six comments about performance (of the AES
code, of the modular exponentiation, of the primality testing, of
modular inversion, of multi-precision arithmetic libraries, and SHA-1
implementation), which should normally be the least of anyone's
worries, especially cryptographers. Is this is a security evaluation,
or a performance test?
However, since we're talking about real-time audio streams, perhaps
some discussion of the bandwidth and especially latency of the p2p
protocol would be in order. Unfortunately, there's no quantification
(... performs favorably in terms of clock cycle per encryption).
Trust us:
Finally, the whole thing is closed source, so none of it is easily
verifiable. We just have to take his word on it, and often he just
offers opinions (see the complaints of vagueness above).
Summary:
All that having been said, I still have more confidence in Skype than
I did before reading the paper.
--
http://www.lightconsulting.com/~travis/ --
We already have enough fast, insecure systems. -- Schneier Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Re: cypherpunks@minder.net closing on 11/1
On 10/13/05, Brian Minder [EMAIL PROTECTED] wrote: The minder.net CDR node will be shutting down on November 1, 2005. This includes the cypherpunks-moderated list. Please adjust your subscriptions accordingly. Gmail would facilitate automating a new cypherpunks-moderated list. Gmail's spam filtering is great and even a regular cypherpunks subscription has almost no spam. Sign up a gmail account and subscribe it only to cypherpunks. Use the POP interface to fetch message from gmail, and redistribute those to the new cypherpunks-moderated list. Subscribers gain the anti spam features of cp-moderated without any manual filtering or moderating necessary. CP
Re: [EMAIL PROTECTED]: Skype security evaluation]
- Original Message - Subject: [Tom Berson Skype Security Evaluation] Tom Berson's conclusion is incorrect. One needs only to take a look at the publicly available information. I couldn't find an immediate reference directly from the Skype website, but it uses 1024-bit RSA keys, the coverage of breaking of 1024-bit RSA has been substantial. The end, the security is flawed. Of course I told them this now years ago, when I told them that 1024-bit RSA should be retired in favor of larger keys, and several other people as well told them. Joe
Blood, Bullets, Bombs and Bandwidth
--- begin forwarded text Date: Sat, 22 Oct 2005 01:50:38 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: Blood, Bullets, Bombs and Bandwidth The long version of the Wired Story on Ryan Lackey, including lots more about Tyler Wagner, who I've been reading about almost since he got there after the liberation :-) in 2003... Just bumped into the bit below, having abandoned Tyler and Jayme's LJs after they split, and finding the link after they went back recently. Meanwhile, the author bought the wrong vowel, apparently. ;-). Cheers, RAH -- http://www.rezendi.com/travels/.html Blood, Bullets, Bombs, and Bandwidth: a tale of two California cipherpunks who went to Baghdad to seek their fortune, and bring the Internet to Iraq. Ryan Lackey wears body armor to business meetings. He flies armed helicopters to client sites. He has a cash flow problem: he is paid in hundred-dollar bills, sometimes shrink-wrapped bricks of them, and flowing this money into a bank is difficult. He even calls some of his company's transactions drug deals - but what Lackey sells is Internet access. From his trailer on Logistics Staging Area Anaconda, a colossal US Army base fifty miles north of Baghdad, Lackey runs Blue Iraq, surely the most surreal ISP on the planet. He is 26 years old. Getting to Anaconda is no joke. Incoming airplanes make a 'tactical descent' landing, better known to military cognoscenti as the 'death spiral'; a nose-down plummet, followed by a viciously tight 360-degree turn, then another stomach-wrenching dive. The plane is dragged back to level only just in time to land, and brakes so hard that anything not strapped down goes flying forward. Welcome to Mortaritaville - the airbase's mordant nickname, thanks to the insurgent mortars that hit the base daily. From above, the base looks like a child's sandbox full of thousands of military toys. Dozens of helicopters litter the runways: Apaches, Blackhawks, Chinooks. F-16 fighters and C-17 cargo planes perch in huge igloo-like hangars built by Saddam. The roads are full of Humvees and armored personnel carriers. Rows of gunboats rest inexplicably on arid desert. A specific Act of Congress is required to build a permanent building on any US military base, so Anaconda is full of tents the size of football fields, temporary only in name, that look like giant caterpillars. Its 25,000 inhabitants, soldiers and civilian contractors like Ryan, are housed in tent cities and huge fields of trailers. Ryan came to Iraq in July 2004 to work for ServiceSat International, hired sight unseen by their CTO Tyler Wagner. Three months later, Ryan quit and founded Blue Iraq. He left few friends behind. I think if Ryan had stayed, Tyler says drily, the staff would have sold him to the insurgents. - - - Iraq is new to the Internet. Thanks to sanctions and Saddam, ordinary citizens had no access until 1999. Prewar, there were a mere 1.1 million telephone lines in this nation of 26 million people, and fewer than 75 Net cafés, connecting via a censored satellite connection. Then the American invasion knocked nearly half of Baghdad's landlines out of service, and the local exchanges that survived could not connect to one another. After the invasion, an army of contractors flooded into Baghdad. Billions of reconstruction dollars were being handed out in cash, and everybody - local Internet cafés, Halliburton, Ahmed Chalabi, the US military itself - wanted Internet access. With the landline service destroyed by war, and sabotage a continuing problem, satellite access was the only realistic option. Among the companies vying to provide this access in early 2003, scant months after the invasion, was ServiceSat International. SSI, a startup founded by Kurdish expats, needed an American CTO: partly to import America's culture of technical excellence, partly to help deal with Western clients and authorities. They called Tyler Wagner. He was 25 years old. - - - San Francisco, aka Baghdad-by-the-Bay, July 2003. Tyler Wagner is a typical counterculture California techie: a Cal Poly CS graduate, part of the California punk scene, working for Greenpeace as a network engineer. Then an old friend in London recommends him to SSI. They call him. They need a capable Westerner willing to move to Iraq. Is he interested? When he hangs up the phone, Tyler is shaking with excitement. The risks of relocating to a war zone are obvious. But it is a lucrative senior management position, offered to a man only two years out of university. Life doesn't often offer you a hand up like that, he reminisces two years later, and when it does, you can't afford to turn it down. One big complication: Tyler's girlfriend, Jayme. They have been dating only six months. He doesn't want to lose her. He calls and tells her the news - and they both ask at the same time if she can come with
Re: [EMAIL PROTECTED]: Skype security evaluation]
On 10/23/05, Travis H. [EMAIL PROTECTED] wrote:
My understanding of the peer-to-peer key agreement protocol (hereafter
p2pka) is based on section 3.3 and 3.4.2 and is something like this:
A - B: N_ab
B - A: N_ba
B - A: Sign{f(N_ab)}_a
A - B: Sign{f(N_ba)}_b
A - B: Sign{A, K_a}_SKYPE
B - A: Sign{B, K_b}_SKYPE
A - B: Sign{R_a}_a
B - A: Sign{R_b}_b
Session key SK_AB = g(R_a, R_b)
But what you have shown here has no encryption, hence no secrecy.
Surely RSA encryption must be used somewhere along the line. The
report doesn't say anything about the details of how that is done. In
particular, although it mentions RSA signature padding it says nothing
about RSA encryption padding.
Is it possible that Skype doesn't use RSA encryption? Or if they do,
do they do it without using any padding, and is that safe?
CP
Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
On 10/22/05, Ian G [EMAIL PROTECTED] wrote: R. Hirschfeld wrote: This is not strictly correct. The payer can reveal the blinding factor, making the payment traceable. I believe Chaum deliberately chose for one-way untraceability (untraceable by the payee but not by the payer) in order to address concerns such as blackmailing, extortion, etc. The protocol can be modified to make it fully untraceable, but that's not how it is designed. Huh - first I've heard of that, would be encouraging if that worked. How does it handle an intermediary fall guy? Say Bad Guy Bob extorts Alice, and organises the payoff to Freddy Fall Guy. This would mean that Alice can strip her blinding factors and reveal that she paid to Freddy, but as Freddy is not to be found, he can't be encouraged to reveal his blinding factors so as to reveal that Bob bolted with the dosh. Right, that is one of the kinds of modifications that Ray referred to. If the mint allows (de-facto) anonymous exchanges then a blackmailer can simply do an exchange of his ecash before spending it and he will be home free. Another mod is for the blackmailer to supply the proto-coin to be signed, in blinded form. One property of Daniel Nagy's epoint system is that it creates chains where each token that gets created is linked to the one it came from. This could be sold as an anti-abuse feature, that blackmailers and extortionists would have a harder time avoiding being caught. In general it is an anti-laundering feature since you can't wash your money clean, it always links back to when it was dirty. U.S. law generally requires that stolen goods be returned to the original owner without compensation to the current holder, even if they had been purchased legitimately (from the thief or his agent) by an innocent third party. Likewise a payment system with traceable money might find itself subject to legal orders to reverse subsequent transactions, confiscate value held by third parties and return the ill-gotten gains to the victim of theft or fraud. Depending on the full operational details of the system, Daniel Nagy's epoints might be vulnerable to such legal actions. Note that e-gold, which originally sold non-reversibility as a key benefit of the system, found that this feature attracted Ponzi schemes and fraudsters of all stripes, and eventually it was forced to reverse transactions and freeze accounts. It's not clear that any payment system which keeps information around to allow for potential reversibility can avoid eventually succumbing to pressure to reverse transactions. Only a Chaumian type system, whose technology makes reversibility fundamentally impossible, is guaranteed to allow for final clearing. And even then, it might just be that the operators themselves will be targeted for liability since they have engineered a system that makes it impossible to go after the fruits of criminal actions. CP
Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
From: cyphrpunk [EMAIL PROTECTED] Sent: Oct 24, 2005 2:14 PM Subject: Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems On 10/22/05, Ian G [EMAIL PROTECTED] wrote: Note that e-gold, which originally sold non-reversibility as a key benefit of the system, found that this feature attracted Ponzi schemes and fraudsters of all stripes, and eventually it was forced to reverse transactions and freeze accounts. It's not clear that any payment system which keeps information around to allow for potential reversibility can avoid eventually succumbing to pressure to reverse transactions. Only a Chaumian type system, whose technology makes reversibility fundamentally impossible, is guaranteed to allow for final clearing. And even then, it might just be that the operators themselves will be targeted for liability since they have engineered a system that makes it impossible to go after the fruits of criminal actions. More to the point, an irreversible payment system raises big practical problems in a world full of very hard-to-secure PCs running the relevant software. One exploitable software bug, properly used, can steal an enormous amount of money in an irreversible way. And if your goal is to sow chaos, you don't even need to put most of the stolen money in your own account--just randomly move it around in irreversible, untraceable ways, making sure that your accounts are among the ones that benefit from the random generosity of the attack. The payment system operators will surely be sued for this, because they're the only ones who will be reachable. They will go broke, and the users will be out their money, and nobody will be silly enough to make their mistake again. CP --John
Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
At 11:14 AM 10/24/2005, cyphrpunk wrote: Note that e-gold, which originally sold non-reversibility as a key benefit of the system, found that this feature attracted Ponzi schemes and fraudsters of all stripes, and eventually it was forced to reverse transactions and freeze accounts. It's not clear that any payment system which keeps information around to allow for potential reversibility can avoid eventually succumbing to pressure to reverse transactions. I don't think E-gold ever held out its system as non-reversible with proper court order. All reverses I am aware happened either due to some technical problem with their system or an order from a court of competence in the matter at hand. Only a Chaumian type system, whose technology makes reversibility fundamentally impossible, is guaranteed to allow for final clearing. And even then, it might just be that the operators themselves will be targeted for liability since they have engineered a system that makes it impossible to go after the fruits of criminal actions. Its not clear at all that courts will find engineering a system for irreversibility is illegal or contributory if there was good justification for legal business purposes, which of course there are. Steve
