Re: IPsec +- Perfect Forward Secrecy
OK, let me ask a more specific question. Actually, let me put forth some hypotheses about how I think it works, and see if anyone has corrections or comments. 0) I'm not sure the words Perfect Forward Secrecy convey what we mean when we talk about PFS. Definition 12.16 in HAC suggests _break-backward protection_ as an alternative, and I prefer that. Perhaps the complementary concept of break-back _exposure_ would be even more useful. http://www.cacr.math.uwaterloo.ca/hac/ http://www.cacr.math.uwaterloo.ca/hac/about/chap12.pdf I think for today we don't have a simple yes/no question as to whether the secrecy is perfect; instead we have multiple quantitative questions as to which connections have how much break-back exposure. 1) First an ISAKMP SA is set up, then it is used to negotiate one or more IPsec SAs, which carry the traffic. 2) Ephmeral DH is always used on the ISAKMP SA, so the ISAKMP session has no more than one ISAKMP session's worth of break-back exposure. That is, the attacker who steals an ISAKMP session key can read that session, but (so far as we know :-) does not thereby gain any head-start toward reading earlier ISAKMP sessions. 3) Each IPsec SA has its own session key. The stated purpose of Quick Mode is to provide fresh keying material. Nonces are used. As I understand it, that means the IPsec session keys are sufficiently ephemeral that each IPsec session has no more than one IPsec session's worth of break-back exposure. That is, the attacker who steals an IPsec session key can read that session, but does not (sfawk :-) gain any head-start toward reading earlier IPsec sessions. 4) As far as I can tell, the only interesting question is whether a break of the ISAKMP session is _inherited_ by the IPsec sessions set up using that ISAKMP session. The break of an IPsec session will not spread at all. The break of an ISAKMP session will not spread beyond that ISAKMP session ... but what happens within that ISAKMP session? The answer, as I understand it, depends on the setting of the misleadingly-named IPsec PFS option. If the option is set, there is an additional layer of opacity on a per-IPsec-SA basis, so that a break of the ISAKMP session is not inherited by its IPsec SAs. Bottom line: As I understand it, IPsec always has reasonably tight limit on the amount of break-back exposure, but setting the so-called PFS option reduces the exposure further ... roughly speaking, by a factor of the number of IPsec SAs per ISAKMP SA. Comments, anyone? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL/TLS passive sniffing
On Wed, 1 Dec 2004, Anne Lynn Wheeler wrote: the other attack is on the certification authorities business process Note that in a fair number of Certificate issuing processes common in industry the CA (sysadmin) generates both the private key -and- certificate, signs it and then exports both to the user their PC (usually as part of a VPN or Single Sing on setup). I've seen situations more than once where the 'CA' keeps a copy of both on file. Generally to ensure that after the termination of an employeee or the loss of a laptop things 'can be set right' again. Suffice to say that this makes evesdropping even easier. Dw - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: IPsec +- Perfect Forward Secrecy
Eric Rescorla [EMAIL PROTECTED] writes: John Denker [EMAIL PROTECTED] writes: Eric Rescorla wrote: Uh, you've just described the ephemeral DH mode that IPsec always uses and SSL provides. I'm mystified by the word always there, and/or perhaps by the definition of Perfect Forward Secrecy. Here's the dilemma: On the one hand, it would seem to the extent that you use ephemeral DH exponents, the very ephemerality should do most (all?) of what PFS is supposed to do. If not, why not? And yes, IPsec always has ephemeral DH exponents lying around. On the other hand, there are IPsec modes that are deemed to not provide PFS. See e.g. section 5.5 of http://www.faqs.org/rfcs/rfc2409.html Sorry, when I said IPsec I mean IKE. I keep trying to forget about the manual keying modes. AFAICT IKE always uses the DH exchange as part of establishment. IKE always performs DH as part of phase 1 (Main Mode or Aggressive Mode), which authenticates and produces long-term keys for phase 2 and similar. In phase 2 (Quick Mode), which actually produces IPsec SAs, one can optionally perform an additional DH for PFS. -- This message may contain confidential and/or proprietary information, and is intended only for the person/entity to whom it was originally addressed. The content of this message may contain private views and opinions which do not constitute a formal disclosure or commitment unless specifically stated. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: SSL/TLS passive sniffing
This sounds very confused. Certs are public. How would knowing a copy of the server cert help me to decrypt SSL traffic that I have intercepted? I found allot of people mistakenly use the term certificate to mean something like a pkcs12 file containing public key certificate and private key. Maybe if comes from crypto software sales people that oversimplify or don't really understand the technology. I don't know, but it's a rant I have. Now if I had a copy of the server's private key, that would help, but such private keys are supposed to be closely held. Or are you perhaps talking about some kind of active man-in-the-middle attack, perhaps exploiting DNS spoofing? It doesn't sound like it, since you mentioned passive sniffing. I guess the threat would be something like an adversary getting access to a web server, getting a hold of the private key (which in most cases is just stored in a file, allot of servers need to be bootable without intervention as well so there is a password somewhere in the clear that allows one to unlock the private key), and then using it from a distance, say on a router near the server where the adversary can sniff the connections. A malicious ISP admin could pull off something like that, law authority that wants to read your messages, etc. Is that a threat worth mentioning? Well, it might be. In any case, forward-secrecy is what can protect us here. Half-certified (or fully certified) ephemeral Diffie-Hellman provides us with that property. Of course, if someone could get the private signature key, he could then do a man-in-the-middle attack and decrypt all messages as well. It wouldn't really be that harder to pull off. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Anti-RFID outfit deflates Mexican VeriChip hype
R.A. Hettinga [EMAIL PROTECTED] forwarded: Promoting implanted RFID devices as a security measure is downright 'loco,' says Katherine Albrecht. Advertising you've got a chip in your arm that opens important doors is an invitation to kidnapping and mutilation. Since kidnapping is sort of an unofficial national sport in Mexico (or at least Mexico City), this is particularly apropos. An implanted RFID seems to be just asking for an express kidnap, something more traditionally used to get money from ATMs. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Quantum memory for light
http://www.physorg.com/news2227.html PhysOrg Nano and Quantum Physics Technology Applied Physics Space and Earth science Electronic Devices Striking Research and Developments Quantum memory for light December 03, 2004 Realization of quantum memory for light allows the extension of quantum communication far beyond 100 km In the macroscopic classical world, it is possible to copy information from one device into another. We do this everyday, when, for example, we copy files in a computer or we tape a conversation. In the microscopic world, however, it is not possible to copy the quantum information from one system into another one. It can only be transferred, without leaving any trace on the original one. The manipulation and transfer of quantum information is, in fact, a very active field of research in physics and informatics, since it is the basis of all the protocols and algorithms in the fields of quantum communication and computation, which may revolutionize the world of information. In the work published in Nature, November 25, 2004, scientists from the Max Planck Institute for Quantum Optics in Garching and the Niels Bohr Institute in Copenhagen have proposed a scheme to transfer the quantum state of a pulse of light onto a set of atoms and have demonstrated it experimentally. -- Image: Experimental set-up: Atomic memory unit consisting of two caesium cells inside magnetic shields 1 and 2. The path of the recorded and read-out light pulses is shown with arrows. (Max Planck Institute of Quantum Optics / Niels Bohr Institute Copenhagen) - In the experiment, a pulse of light is prepared in a certain quantum state whose properties (polarization) are randomly chosen. Then, the light is sent through a set of atoms which are contained in a small transparent box (an atomic cell) at room temperature. In the cell, the light and atoms interact with each other, giving rise to an entangled state in which the two systems remain correlated. After abandoning the atomic sample, the pulse of light is detected. Due to the fact that the light and atoms are entangled, the process of measurement on the light affects the quantum state of the atoms in such a way that they acquire the original properties of the light. In this way, the state of polarization of the photons is transferred into the polarization state of the atoms. This action at a distance, in which by performing a measurement on a system it affects the state of another system which is at a different location is one of the most intriguing manifestations of Quantum Mechanics, and is the basis of applications such as quantum cryptography or phenomena like teleportation. In order to check that the transfer of polarization has indeed taken place, the researcher measured the polarization of the atoms at the beginning of the experiment and compared it with the original state of polarization of the light. In the experiment, these two polarizations coincided up to a 70% of the time. The main reason for the imperfections where the due to spontaneous emission, a process in which the atoms absorb the photons but then emit them in a different direction such that they do not go towards the photo-detector. A question that the authors of the paper had to carefully analyze was to what extent 70% percent of coincidence is enough to claim that the process was successful. Or, in other words, could they obtain the same result by measuring the state of polarization of the photons and then preparing the state of the atoms accordingly? The answer is no. Due to the basic properties of quantum mechanics, the state of polarization of a laser pulse cannot be fully detected. Due to the Heisenberg uncertainty principle, it is impossible to measure the full polarization exactly. In fact, as some of the authors together with K. Hammerer and M. Wolf (from the Max Planck Institute of Quantum Optics) have recently shown, the best one can do using this latter method would be 50%. This implies that the experiment indeed has successfully demonstrated the transfer beyond what one could do without creating the entangled state. The current experiment paves the way for new experiments in which the information contained in light can be mapped onto atomic clusters and then back into the light again. In this way, one could not only store the state of light in an atomic clusters, but also retrieve it. This process will be necessary if we want to build quantum repeaters, that is, devices which will allow the extension of quantum communication far beyond the distances (of the order of 100 km) which are achieved nowadays. Original work: B. Julsgaard, J. Sherson, J.I. Cirac, J. Fiurásek, und E.S. Polzik Experimental demonstration of quantum memory for light Nature 432, 482 (2004) Source: Max Planck Institute -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ...
Re: SSL/TLS passive sniffing
Anton Stiglic wrote: I found allot of people mistakenly use the term certificate to mean something like a pkcs12 file containing public key certificate and private key. Maybe if comes from crypto software sales people that oversimplify or don't really understand the technology. I don't know, but it's a rant I have. i just had went off on possibly similar rant in comp.security.ssh where a question was posed about password or certficate http://www.garlic.com/~lynn/2004p.html#60 http://www.garlic.com/~lynn/2004q.html#0 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]