a 'stacked' design which allow modules to be plugged
in readily. The user has no way of knowing what the card is signing.
It's possible to more or less fix this problem with dedicated readers
that have displays and authenticate their input, but the market doesn't
seem to be ready for them yet.
.
--
Eric Murray Consulting Security Architect SecureDesign LLC
http://www.securedesignllc.comPGP keyid:E03F65E5
ng to make requesters connect with SSL to retreive
entropy. Then it's on the pointless side, since the attacker only has to
solve the problem of when to turn on/off his snooping the network
to duplicate that part of the entropy pool. That's pretty much
the "pick a key from a CD" model...
HMAC-like (nested hash with pads)
of the same handshake messages.
So it looks like the anwer is no.
--
Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5
Consulting Security Architect
API as BSAFE.
--
Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5
Consulting Security Architect
. openssl.org.
--
Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5
Security consulting: secure protocols, security reviews, standards, smartcards.
e relates a story where Aldeman
insisted to Rivest that his (Aldeman's) name be last on the paper...
Ron had originally had it in alphabetically order.
Perhaps "ASR" might then be appropriate?
--
Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5
Security consult
the
correct MIME content-type hooks in the user's browser, and then send
them the real PGP-encrypted file 10 minutes later when they're equipped
to deal with it?
It's still not secure, but it's a lot less insecure than a SDA.
--
Eric Murray http://www.lne.com/ericm ericm at lne.com PGP ke
the radios with me to europe ?
Check out Bert-Japp Koops' Crypto Law Survey.
http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
Security consulting: security models, reviews, protocols, crypto.
ways for an attacker to change
the CPU load on a host.
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
y... and current s/w is
notoriously lax on that. Any software solution like
that would be hackable on the recipient's machine.
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
. This method can encode
arbitrary plaintext. By implication, the random data does not contain
an SOT nor EOT.
I assume that you do this before encryption.
Wouldn't compressing the plaintext before encryption have the same effect?
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP
al property reason (RNGs being patentable and
worth some money). Unfortunately none of those reasons are all that
great.
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
ing to make everyone's
lives easier" and not thinking through all the ramifications. But
I suspect that no one at BXA takes this seriously as a way to
report exports and it's simply a regulatory placeholder and
possibly a selective enforcement mechanisim.
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
.
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
come up with are
based on using secure hashes.
-Bram
--
Eric Murray N*Able Technologieswww.nabletech.com
(email: ericm at the sites lne.com or nabletech.com) PGP keyid:E03F65E5
the data comes from or goes. The strongest crypto in
the world won't help if your data is open to attack after it's
decrypted attackers go after the weakest link.
--
Eric Murray N*Able Technologieswww.nabletech.com
(email: ericm at the sites lne.com or na
a little
readable after the first time they have to read old code they wrote and
spend hours re-discovering what it does. ALL good programmers I have
known do this, although ideas about what is "readable" differ widely.
--
Eric Murray N*Able Te
Starium (with cypherpunks Whit Diffie and Eric Blossom)
announce an STU-III add-on for ~$100.
http://www.eetimes.com/story/OEG19990423S0015
--
Eric Murray N*Able Technologieswww.nabletech.com
(email: ericm at the sites lne.com or nabletech.com) PGP
ation and my PGP key
isn't worth very much since my secrets aren't all that interesting.
But a deployment of a million or two Pilots for use as credit
authenticating devices (just to make up an example) would, unless
the keys are protected in some other trusted hardware, be a big
fat target.
--
Er
and keyboard and run WindowsCE :-)
Currently shipping 7816 cards max out at about 32k of FLASH
for program and data, and a few K of RAM. Most are 8-bit processors
but there's been some work on putting a 32-bit ARM in cards.
--
Eric Murray N*Able Technologies
ed to have a higher rate just to cover immediate
use after boot. In a system with a disk you can keep a random pool
around between boots, reducing the first-time problem to the first
boot-up. But that's not an option in embedded or diskless situations.
--
Eric Murray N*Able Te
cess to the database to retreive
keys for the attackers. But it got the point across that it's vulnerable.
--
Eric Murray N*Able Technologieswww.nabletech.com
(email: ericm at the sites lne.com or nabletech.com) PGP keyid:E03F65E5
23 matches
Mail list logo