Re: Kama Sutra Spoofs Digital Certificates
Peter Gutmann wrote: Anne Lynn Wheeler [EMAIL PROTECTED] writes: The Kama Sutra worm can fool WIndows into accepting a malicious ActiveX control by spoofing a digital signature, a security company said Tuesday. If you track down the original Fortinet advisory you'll see that the Information- Week text is slightly misleading, all it does is set the this control is all right flags in the registry to make Windows think it's passed a signature check at some point in the past. Sounds like a pseudo-Cache attack then - is that not valid as a spoof though? There was an embedded SSL Cache attack a few years back, and that was considered a man-in-the-middle spoof attack. Is there a specific definition to that? Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
thoughts on one time pads
In this article, Bruce Schneier argues against the practicality of a one-time pad: http://www.schneier.com/crypto-gram-0210.html#7 I take issue with some of the assumptions raised there. For example, you may have occasional physical meetings with a good friend, colleague, family member, or former co-worker. Let's say you see them once every few years, maybe at a conference or a wedding or a funeral or some other occasion. At such times, you could easily hand them a CD-ROM or USB flash drive full of key material. Then, you could use that pad to encrypt messages to them until the next time you meet. Let's say you send them ten 1kB messages per year. Then a $1 CD-ROM would hold enough data for 7 years of communication! Heck, I could put the software on the image and make a dozen to keep with me, handing them out to new acquaintances as a sort of preemptive secure channel. Bruce acknowleges this by saying [t]he exceptions to this are generally in specialized situations where simple key management is a solvable problem and the security requirement is timeshifting. He then dismisses it by saying [o]ne-time pads are useless for all but very specialized applications, primarily historical and non-computer. Excuse me? This would in fact be a _perfect_ way to distribute key material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn, gaim-encryption etc. etc. You see, he's right in that the key distribution problem is the hardest problem for most computer cryptosystems. So the OTP system I described here is the perfect complement for those systems; it gives them a huge tug on their bootstraps, gets them running on their own power. I'm not sure it is even limited to this use case. For example, before a ship sets out to sea, you could load it up with enough key material to last a few millenia. How much key material could a courier carry? I bet it's a lot. As they say, never underestimate the bandwidth of a station wagon full of tapes. And don't embassies have diplomatic pouches that get taken to them and such? So my questions to you are: 1) Do you agree with my assessment? If so, why has every crypto expert I've seen poo-pooed the idea? 2) Assuming my use case, what kind of attacks should I worry about? For example, he might leave the CD sitting around somewhere before putting it in his computer. If it sits around on CD, physical access to it would compromise past and future communications. If he copies it to flash or magnetic media, then destroys the CD, we can incrementally destroy the pad as it is used, but we have to worry about data remanence. 3) How should one combine OTP with another conventional encryption method, so that if the pad is copied, we still have conventional cipher protection? In this manner, one could use the same system for different use cases; one could, for example, mail the pad, or leave it with a third party for the recipient to pick up, and you opportunistically theoretical security if the opponent doesn't get it, and you get empirical (conventional) security if they do. 4) For authentication, it is simple to get excellent results from an OTP. You simply send n bytes of the OTP, which an attacker has a 2^-8n chance in guessing. How do we ensure message integrity? Is it enough to include a checksum that is encrypted with the pad? Does it depend on our method of encipherment? Assuming the encipherment is XOR, is a CRC sufficient, or can one flip bits in the message and CRC field so as to cancel each other? If so, how should we compute a MIC? Just SHA-1, and include that right after the plaintext (that is, we encrypt the MIC so as to not reveal a preimage if SHA-1 is found to be invertible)? 5) How should one decouple message lengths from plaintext lengths? 6) How should one detect and recover from lost, reordered, or partial messages? All I've got to say is, I'm on this like stink on doo-doo. Being the thorough, methodical, paranoid person I am, I will be grateful for any pointers to prior work and thinking in this area. I recall Jim Choate from the Austin cypherpunks saying he was working on a OTP system, but never heard any more about it (let's not discuss him though please, this thread is about one time pads). -- The generation of random numbers is too important to be left to chance. -- Robert R. Coveyou -- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
a crypto wiki
http://www.cryptodox.com/Main_Page -- The generation of random numbers is too important to be left to chance. -- Robert Coveyou -- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
Travis H. wrote: In this article, Bruce Schneier argues against the practicality of a one-time pad: http://www.schneier.com/crypto-gram-0210.html#7 I take issue with some of the assumptions raised there. [...] Then a $1 CD-ROM would hold enough data for 7 years of communication! [...] So my questions to you are: 1) Do you agree with my assessment? If so, why has every crypto expert I've seen poo-pooed the idea? You shift to the problem of filling CDs with pure random data. Which physical property do you want to sample and with which type of hardware do you expect to sample it and at which rate, and with which protection against eavesdroping during the sampling? At what cost? With what kind of design assurance that the pure random data is indeed pure and random? Have fun. -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
A glimpse of SIGINT 20 years ago...
This is a couple of weeks old, but it appears that, by accident, a lot of information on the targets and methods being used for US/Australian/NZ SIGINT about 20 years ago has come to light as the result of the release of a late New Zealand Prime Minister's papers. http://www.stuff.co.nz/stuff/print/0,1478,3540743a6005,00.html Among other things: The report lists the Tangimoana station's targets in 1985-86 as French South Pacific civil, naval and military; French Antarctic civil; Vietnamese diplomatic; North Korean diplomatic; Egyptian diplomatic; Soviet merchant and scientific research shipping; Soviet Antarctic civil. Soviet fisheries; Argentine naval; Non-Soviet Antarctic civil; East German diplomatic; Japanese diplomatic; Philippine diplomatic; South African Armed Forces; Laotian diplomatic (and) UN diplomatic. The station intercepted 165,174 messages from these targets, an increase of approximately 37,000 on the 84/85 figure. Reporting on the Soviet target increased by 20% on the previous year. Hat tip to Bruce Schneier's blog for reminding me about it. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
On Thu, Jan 26, 2006 at 05:30:36AM -0600, Travis H. wrote:
[...]
Excuse me? This would in fact be a _perfect_ way to distribute key
material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn,
gaim-encryption etc. etc. You see, he's right in that the key
distribution problem is the hardest problem for most computer
cryptosystems. So the OTP system I described here is the perfect
complement for those systems; it gives them a huge tug on their
bootstraps, gets them running on their own power.
[...]
So my questions to you are:
1) Do you agree with my assessment? If so, why has every crypto
expert I've seen poo-pooed the idea?
Your use case above suggests that you are still willing to trust conventional
ciphers to be secure, so, practically speaking, what is the difference between:
Key #1: 128 bits of one time pad
Key #2: AES_{masterkey}(counter++)
I'm not an expert, but the reason I'd call it a bad idea (versus just not
worth the effort, which is all the AES/OTP comparison is suggesting) is it
introduces a need for synchronization, and that can be a hard thing to do
between arbitrary parties on a network.
2) Assuming my use case, what kind of attacks should I worry about?
For example, he might leave the CD sitting around somewhere before
putting it in his computer. If it sits around on CD, physical access
to it would compromise past and future communications. If he copies
it to flash or magnetic media, then destroys the CD, we can
incrementally destroy the pad as it is used, but we have to worry
about data remanence.
I don't think attacks are the problem, so much as susceptibility to errors. To
even get started, you need a CD of truly random bits, which is fairly
non-trival to do on many platforms (and it's difficult to tests if your bits
are actaully random or just look that way). More importantly, the key
management issues seem annoying and highly prone to catastrophic failure. For
example, I send you a message using the first N bits of the pad, my machine
crashes, I restore from backup (or a filesystem checkpoint), and then my index
into the pad is reset back to the start. Then I resend a second message using
the same pad bits. Problem.
I think your characterization of the possible attacks is pretty fair. But
compare the OTP failure mode access to it would compromise past and future
communications, to the failure mode of, say, RSA authenticated DH key
exchange, which provides PFS and requires an active attack in order to attack
communications even after the key is compromised. Is OTP so much more secure
than a simple PK-based key exchange that it is worth even this single tradeoff
(not to mention the initial key exchange hassles and the need to store
megabytes of pad with anyone I might want to talk to)?
[...]
4) For authentication, it is simple to get excellent results from an
OTP. You simply send n bytes of the OTP, which an attacker has a
2^-8n chance in guessing.
That sounds prone to a man in the middle attack; what is to stop someone from
taking your authentication packet with the N bits of unguessable pad, cause
your connection to drop and then authenticating as you using the pad you sent
earlier?
You could probably do a challenge-response authentication based on pad bits
pretty easily, however, though doing it in a way that doesn't require a secure
hash might be a little trickier.
How do we ensure message integrity? Is it
enough to include a checksum that is encrypted with the pad? Does it
depend on our method of encipherment? Assuming the encipherment is
XOR, is a CRC sufficient, or can one flip bits in the message and CRC
field so as to cancel each other?
There are some attacks against WEP along those lines (they used RC4 to encrypt
the checksum, instead of a one time pad, but it would end up about the same, I
would think). Using HMAC keyed with pad bits seems a lot more sane to me...
6) How should one detect and recover from lost, reordered, or partial
messages?
I think that this question needs to be asked at all points to one of the flaws
of OTP from a practical standpoint.
-Jack
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
On Thu, 26 Jan 2006, Travis H. wrote: All I've got to say is, I'm on this like stink on doo-doo. Being the thorough, methodical, paranoid person I am, I will be grateful for any pointers to prior work and thinking in this area. You may wish to look at: Ueli M . Maurer: Conditionally-Perfect Secrecy and a Provably-Secure Randomized Cipher in: Journal of Cryptography, vol 5, no. 1, pp. 53-66, 1992 (available online) and Ferguson, Schneier, Wagner: Security Weaknesses in Maurer-Like Randomized Stream Ciphers published on Schneier's website Regards Ralf Senderek *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.* * Ralf Senderek [EMAIL PROTECTED] http://senderek.com* What is privacy * * Sandstr. 60 D-41849 Wassenberg +49 2432-3960 * without * * PGP: AB 2C 85 AB DB D3 10 E7 CD A4 F8 AC 52 FC A9 ED *Pure Crypto? * 49466008763407508762442876812634724277805553224967086648493733366295231438448 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A glimpse of SIGINT 20 years ago...
Perry E. Metzger wrote: This is a couple of weeks old, but it appears that, by accident, a lot of information on the targets and methods being used for US/Australian/NZ SIGINT about 20 years ago has come to light as the result of the release of a late New Zealand Prime Minister's papers. http://www.stuff.co.nz/stuff/print/0,1478,3540743a6005,00.html Among other things: The report lists the Tangimoana station's targets in 1985-86 as French South Pacific civil, naval and military; French Antarctic civil; Vietnamese diplomatic; North Korean diplomatic; Egyptian diplomatic; Soviet merchant and scientific research shipping; Soviet Antarctic civil. Soviet fisheries; Argentine naval; Non-Soviet Antarctic civil; East German diplomatic; Japanese diplomatic; Philippine diplomatic; South African Armed Forces; Laotian diplomatic (and) UN diplomatic. The station intercepted 165,174 messages from these targets, an increase of approximately 37,000 on the 84/85 figure. Reporting on the Soviet target increased by 20% on the previous year. recent posting and glimpse of public key crypto 20 years ago http://www.garlic.com/~lynn/2006.html#30 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
On Thu, 26 Jan 2006, Travis H. wrote: For example, you may have occasional physical meetings with a good friend, colleague, family member, or former co-worker. Let's say you see them once every few years, maybe at a conference or a wedding or a funeral or some other occasion. At such times, you could easily hand them a CD-ROM or USB flash drive full of key material. Then, you could use that pad to encrypt messages to them until the next time you meet. Let's say you send them ten 1kB messages per year. Then a $1 CD-ROM would hold enough data for 7 years of communication! Heck, I could put the software on the image and make a dozen to keep with me, handing them out to new acquaintances as a sort of preemptive secure channel. It's far easier and less error-prone to hand them a CD-ROM full of symmetric keys indexed by date. The problem is that most people will not take the care needed to properly use a one-time pad. For text communications like this forum, they're great, and a (relatively) small amount of keying material, as you suggest, will last for many years. But modern applications are concerned with communicating *DATA*, not original text; someone on the system is going to want to send their buddy a 30-minute video of the professor explaining a sticky point to the class, and where is your keying material going then? He wants to be ignorant of the details of the cryptosystem; he just hits secure send and waits for magic to happen. Or if not a 30-minute video, then the last six months of account records for the west coast division of the company, or a nicely formatted document in a word processor format that uses up a megabyte or two per page, or ... whatever. The OTP is nice for just plain text, but the more bits a format consumes, the less useful it becomes. And fewer and fewer people even understand how much or how little bandwidth something is; they think in terms of human bandwidth, the number of seconds or minutes of attention required to read or listen to or watch something. An OTP, as far as I'm concerned, makes a really good system, but you have to respect its limits. One of those limits is a low-bandwidth medium like text-only messages, and in the modern world that qualifies as specialized. Given a low-bandwidth medium, and indexing keying material into daily chunks to prevent a system failure from resulting in pad reuse, you get 600 MB on a CD-ROM. Say you want a century of secure communications, so you divide it into 8- kilobyte chunks -- each day you can send 8 kilobytes and he can send 8 kilobytes. (Note that DVD-ROMs are better). That gives you a little over 100 years (read, all you're likely to need, barring catastrophic medical advances,) of a very secure low-bandwidth channel. Of course, the obvious application for this OTP material, other than text messaging itself, is to use it for key distribution. Bear Bruce acknowleges this by saying [t]he exceptions to this are generally in specialized situations where simple key management is a solvable problem and the security requirement is timeshifting. He then dismisses it by saying [o]ne-time pads are useless for all but very specialized applications, primarily historical and non-computer. Excuse me? This would in fact be a _perfect_ way to distribute key material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn, gaim-encryption etc. etc. You see, he's right in that the key distribution problem is the hardest problem for most computer cryptosystems. So the OTP system I described here is the perfect complement for those systems; it gives them a huge tug on their bootstraps, gets them running on their own power. I'm not sure it is even limited to this use case. For example, before a ship sets out to sea, you could load it up with enough key material to last a few millenia. How much key material could a courier carry? I bet it's a lot. As they say, never underestimate the bandwidth of a station wagon full of tapes. And don't embassies have diplomatic pouches that get taken to them and such? So my questions to you are: 1) Do you agree with my assessment? If so, why has every crypto expert I've seen poo-pooed the idea? 2) Assuming my use case, what kind of attacks should I worry about? For example, he might leave the CD sitting around somewhere before putting it in his computer. If it sits around on CD, physical access to it would compromise past and future communications. If he copies it to flash or magnetic media, then destroys the CD, we can incrementally destroy the pad as it is used, but we have to worry about data remanence. 3) How should one combine OTP with another conventional encryption method, so that if the pad is copied, we still have conventional cipher protection? In this manner, one could use the same system for different use cases; one could, for example, mail the pad, or leave it with a third party for the recipient
