Re: Quantum Cryptography
On Jun 26, 2007, at 10:10 AM, Nicolas Williams wrote: This too is a *fundamental* difference between QKD and classical cryptography. What does this classical word mean? Is it the Quantum way to say real? I know we're in violent agreement, but why are we letting them play language games? IMO, QKD's ability to discover passive eavesdroppers is not even interesting (except from an intellectual p.o.v.) given: its inability to detect MITMs, its inability to operate end-to-end across across middle boxes, while classical crypto provides protection against eavesdroppers *and* MITMs both *and* supports end-to-end operation across middle boxes. Moreover, the quantum way of discovering passive eavesdroppers is really just a really delicious sugar coating on the classical term denial of service. I'm not being DoSed, I'm detecting a passive eavesdropper! Jon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
History, context, QKD and the Internet
I'm old enough to remember hearing (I've worked at BBN for a long time now) that connecting computers on a large scale just isn't going to work, that I would never need more than 4MB of main memory, etc. Any reader can fill out the rest without my risking being pedantic. I do remember before public key when symmetric keys were delivered by an extended workforce and no-one believed there would be a need for consumer crypto. I also remember lots of questions about PK, its validity and management - some of which are still being asked. Is there a hash algorithm that _everyone_ is satisfied with ? Authentication before PK was possession of the secret key. The world of computing and communication sure looks different 40+ years later. So I encourage you to look at QKD in context. I know everything is moving in internet time but remember just how recently QKD has been dragged off of the physics optics bench by some engineers to see what can be done with it. Also, a small revolution has been taking place while discussion (on this list anyway) has focused on 1st generation QKD. Several very high speed (up to nominal line speed) systems have been proposed. Long-haul all- optical networks are being researched, and some will be built. The problem of authentication is well understood, even it it hasn't been solved. Of course, you have to keep up with the literature and not remain stuck in the '80s with BB84. We live in internet time. John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Free Rootkit with Every New Intel Machine
Jon Callas wrote: On Jun 25, 2007, at 7:23 PM, Matt Johnston wrote: On Mon, Jun 25, 2007 at 04:42:56PM +1200, David G. Koontz wrote: Apple (mis)uses TPM to unsuccessfully prevent OS X from running on non-Apple Hardware. All Apple on Intel machines have TPM, that's what 6 percent of new PCs? To nit pick, the TPM is only present in some Apple Intel machines and isn't used in any of them. See http://osxbook.com/book/bonus/chapter10/tpm/ Their OS decryption key is just stored in normal firmware, unprotected AIUI. Are you discussing how they handle their encrypted swap, encrypted disk (via FileVault) or their encrypted sleep image? I was unaware that Apple had implemented full root file system encryption. They've apparently stopped shipping TPMs. There isn't one on my MacBook Pro from last November, and it is missing on my wife's new Santa Rosa machine. If you want to see if a machine has one, then the command: sudo ioreg -w 0 | grep -i tpm should give something meaningful. Mine reports the existence of ApplePCISlotPM, but that's not the same thing. A positive match looks like this: | +-o ApplePCISlotPM class ApplePCISlotPM, !registered, !matched, active, busy 0, retain count 8 | +-o TPM class IOACPIPlatformDevice, registered, matched, active, busy 0, retain count 6 Regards, Jacob Appelbaum - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Free Rootkit with Every New Intel Machine (aka TPM, AMT)
i'd also scrawled: my understanding from a person active in the NEA working group [1] (IETF) is that TPMs these days come along for free because they're included on-die in at least one of said chips. [EMAIL PROTECTED] said: Check again. A few months ago I was chatting with someone who works for a large US computer hardware distributor and he located one single motherboard (an Intel one, based on an old, possibly discontinued chipset) in their entire inventory that contained a TPM (they also had all the ex-IBM/Lenovo laptops, and a handful of HP laptops, that were reported as having TPMs). He also said that there were a handful of others (e.g. a few Dell laptops, which they don't carry) with TPMs. my bad. I'd neglected to add on enterprise-class systems after come along for free (a qualification he did indeed express). WRT to Dell notebooks, that'd be the Latitude models. In fact, with a little searching, i found the Dell pages below [2] that indicate TPM is installed on Dell's D-series enterprise class notebooks. [EMAIL PROTECTED] said: One of the driving forces for TPM adoption going forward will be enterprise remote or distributed management. Of course. And that's the driving force behind the IETF NEA (Network Endpoint Assessment) working group AFAIK [1]. =JeffH -- [1] http://www.ietf.org/html.charters/nea-charter.html [2] http://www.dell.com/content/topics/global.aspx/solutions/en/latitude_highlight ?c=usl=ens=gen ... Trusted Platform Module (TPM 1.1) The TPM, or Trusted Platform Module ships standard on D410, D610 D810. TPM is a security hardware device on the system board that will hold computer generated keys for encryption. It is a hardware-based solution that can help avoid attacks by hackers looking to capture passwords and encryption keys to sensitive data. ... http://www.dell.com/content/learnmore/learnmore.aspx?c=uscs=RC968571l=ens=h ea~id=smartcard~line=notebooks~mode=popup~series=latit~tab=recommendations What is TPM? The TPM, or Trusted Platform Module, is a security hardware device on the system board that will hold computer generated keys for encryption. It is a hardware based solution that can help avoid attacks by hackers looking to capture passwords and encryption keys to sensitive data. When deploying advanced security features like TPM in your environment, the archive and recovery of keys protected by the TPM is critical to avoiding the risk of data loss or inaccessibility in the event of a system failure. The security features provided by the TPM are internally supported by the following cryptographic capabilities of each TPM: hashing, random number generation, asymmetric key generation, and asymmetric encryption/decryption. Each individual TPM on each individual computer system has a unique signature initialized during the silicon manufacturing process that further enhances its trust/security effectiveness. Each individual TPM must have an Owner before it is useful as a security device. TPM Applications TPM is useful for any customer that is interested in providing an addition layer of security to the computer system. The TPM, when bundled with an optional security software package, can provide overall system security, file protection capabilities and protect against email /privacy concerns. TPM helps provide security that can be stronger than that contained in the system BIOS, operating system, or any non-TPM application. Which Dell systems support TPM? The TPM 1.2 security hardware device comes standard on the following LatitudeTM notebook systems: Latitude D420, D620, D820, OptiPlexTM desktop systems: Optiplex 745, 740 and Dell PrecisionTM Mobile Workstations M65, M90. Dell recommends the use of Microsoft® Windows® XP Professional XP Professional operating system with TPM which includes advanced security, mobility and networking features. TPM is currently not supported by Dell on Red Hat® Linux® operating systems. Customers who deploy TPM should also purchase Wave Systems Embassy Trust Suite from Dell Software Peripherals to enable full TPM features including key archival and migration. --- end - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: question re practical use of secret sharing
Peter Gutmann writes: Is anyone aware of a commercial product that implements secret sharing? If so, can I get a pointer to some product literature? It's available as part of other products (e.g. nCipher do it for keying their HSMs) Do you mean the k of n operator cards? For those, I don't think nCipher is using real secret sharing. I would guess that the HSM knows the secret(s), and counts the operator cards that are submitted. There is a financial standard for distributing ZCMK's (Zone Control Master Keys) that splits the ZCMK up into three pieces the same length as the original. This is 3 of 3. nCipher and other HSM vendors support this, and it's used wtih a little hand-held PIN pad. I guess this would count as an example of products that use secret sharing. Perhaps this is what you were referring to. gh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann Sent: Thursday, June 21, 2007 6:57 AM To: [EMAIL PROTECTED]; cryptography@metzdowd.com Subject: Re: question re practical use of secret sharing Charles Jackson [EMAIL PROTECTED] writes: Is anyone aware of a commercial product that implements secret sharing? If so, can I get a pointer to some product literature? It's available as part of other products (e.g. nCipher do it for keying their HSMs), but I don't know of any product that just does... secret sharing. What would be the user interface for such an application? What would be the target audience? (I mean a real target audience, not some hypothesised scenario). (This is actually a serious question. I talked with some crypto guys a few years ago about doing a standard for secret sharing, but to do that we had to come up with some general usage model for it rather than just one particular application-specific solution, and couldn't). Besides that, user demand for it was practically nonexistent... no, it was completely nonexistent, apart from a few highly specialised custom uses we couldn't even find someone to use as a guinea pig for testing, and the existing specialised users already had specialised solutions of their own for handling it. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
anti-RF window film
http://www.sciam.com/article.cfm?articleid=6670BF9B-E7F2-99DF-3EAC1C6DC382972F A company is selling a window film that blocks most RF signals. The obvious application is TEMPEST-shielding. I'm skeptical that it will be very popular -- most sites won't want to give up Blackberry and cell phones... --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On 6/25/07, Greg Troxel [EMAIL PROTECTED] wrote: 1) Do you believe the physics? (Most people who know physics seem to.) For those who would like to know a little more about the physics, see: http://www.icfo.es/images/publications/J05-055.pdf, Quantum Cloning, Valerio Scarani, Sofyan Iblisdir, and Nicolas Gisin. This is a late 2005 review and of eavesdropping techniques for QKD. Much of the terminology of quantum physics is unfamiliar to me but I think the paper states that Eve could theoretically get 5/6 of the bits through cloning and to keep this from happening, Alice and Bob have to assume an eavesdropper if more than 11% of the bits have errors. also: http://w3.antd.nist.gov/pubs/Mink-SPIE-One-Time-Pad-6244_22.pdf, One-Time Pad Encryption of Real-Time Video1, Alan Mink, Xiao Tang, LiJun Ma, Tassos Nakassis, Barry Hershman, Joshua C. Bienfang, David Su, Ron Boisvert, Charles W. Clark and Carl J. Williams - a more accessible paper describing a working system where NIST claims bit error rates in the 3% range while generating key material at greater than 2Mb/s. Its not clear whether the bit error rate is before or after an error correction stage but the paper discusses how bit error rate reduces the overall result after privacy amplification so I believe they have thought of Eve cloning photons in flight. -Michael - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
TPM, part 2
All your data belong to us. From Computerworld. -- Jerry Trusted Computing Group turns attention to storage Chris Mellor June 24, 2007 (TechWorld.com) The Trusted Computing Group has announced a draft specification aimed at helping block unauthorized access to sensitive data on hard drives, flash drives, tape cartridges and optical disks. These devices won't release data unless the access request is validated by their own on-drive security function. David Hill, a principal in the Mesabi Group, said: The public media blares the loss of confidential information on large numbers of individuals on what seems a daily basis, and that is only the tip of the data breach iceberg for not having trusted storage. Trusted storage will soon be seen as a necessity --not just a nice to have -- by all organizations. The Trusted Computing Group (TCG) is a not-for-profit industry-standards organization with the aim of enhancing the security of computers operating in disparate platforms. Its draft, developed by more than 60 of the TCG's 2175 member companies, specifies an architecture which defines how accessing devices could interact with storage devices to prevent unwanted access. Storage devices would interact with a trusted element in host systems, generally a Trusted Platform Module (TPM), which is embedded into most enterprise PCs. The trust and security functions from the specification could be implemented by a combination of firmware and hardware on the storage device. Platform-based applications can then utilize these functions through a trusted command interface negotiated with the SCSI and ATA standards committees. Thus a server or PC application could issue access requests to a disk drive and provide a key, random number or hash value. The drive hardware and/or firmware checks that this is valid and then supplies the data, decrypting it if necessary. Future versions of the SATA, SCSI and SAS storage interfaces would be extended to support the commands and parameters needed for such access validity checking. Mark Re, Seagate Research SVP, said: Putting trust and security functions directly in the storage device is a novel idea, but that is where the sensitive data resides. Implementing open, standards-based security solutions for storage devices will help ensure that system interoperability and manageability are greatly improved, from the individual laptop to the corporate data center. Seagate already has an encrypting drive. Marcia Bencala, Hitachi GST's marketing and strategy VP, said: Hitachi's Travelstar mobile hard drives support bulk data encryption today and we intend to incorporate the final Trusted Storage Specification as a vital part of our future-generation products. The TCG has formed a Key Management Services subgroup, to provide a method to manage cryptographic keys. Final TCG specifications will be published soon but companies could go ahead and implement based on the draft spec. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
The bank fraud blame game
As always, banks look for ways to shift the risk of fraud to someone - anyone - else. The New Zealand banks have come up with some interesting wrinkles oh this process. From Computerworld. -- Jerry NZ banks demand a peek at customer PCs in fraud cases Stephen Bell June 26, 2007 (Computerworld New Zealand) Banks in New Zealand are seeking access to customer PCs used for online banking transactions to verify whether they have enough security protection. Under the terms of a new banking Code of Practice, banks may request access in the event of a disputed transaction to see if security protection in is place and up to date. The code, issued by the Bankers' Association last week after lengthy drafting and consultation, now has a new section dealing with Internet banking. Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have used a computer or device that does not have appropriate protective software and operating system installed and up-to-date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are up-to-date. The code also adds: We reserve the right to request access to your computer or device in order to verify that you have taken all reasonable steps to protect your computer or device and safeguard your secure information in accordance with this code. If you refuse our request for access then we may refuse your claim. InternetNZ was still reviewing the new code, last week, executive director Keith Davidson told Computerworld. In general terms, InternetNZ has been encouraging all Internet users to be more security conscious, especially ... to use up-to-date virus checkers, spyware deletion tools and a robust firewall, Davidson says. The new code now places a clear obligation on users to comply with some pragmatic security requirements, which does seem appropriate. If fraud continues unabated, then undoubtedly banks would need to increase fees to cover the costs of fraud, he says, so increasing security awareness and compliance in advance is probably the better tactic for both banks and their customers. Bank customers who are unhappy with the new rules may choose to dispense with electronic banking altogether, and return to dealing with tellers at the bank. But it seems that electronic banking and in particular Internet banking has become the convenient choice for consumers, Davidson says. The code also warns users that they could be liable for any loss if they have chosen an obvious PIN or password, such as a consecutive sequence of numbers, a birth date or a pet's name; disclosed a PIN or password to a third party or kept a written or electronic record of it. Similar warnings are already included in the section that deals with ATM and PINs for Eftpos that was issued in 2002. There is nothing in this clause allowing an electronic record to be held in a password-protected cache -- a facility provided by some commercial security applications. For their part, the banks undertake to provide information on their websites about appropriate tools and services for ensuring security, and to tell customers where they can find this information when they sign up for Internet banking. One issue we have raised with the Bankers Association in the past is that banks should not initiate email contact with their customers, Davidson says. The code allows banks to use unsolicited email among other media to advise of changes in their arrangements with the customer, but Davidson says they should only utilize their web-based mail systems. It is hardly surprising that some people fall victim to phishing email scams when banks use email as a normal method of communication, and therefore email can be perceived as a valid communication by end users, he says. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: anti-RF window film
| http://www.sciam.com/article.cfm?articleid=6670BF9B-E7F2-99DF-3EAC1C6DC382972F | | A company is selling a window film that blocks most RF signals. The | obvious application is TEMPEST-shielding. I'm skeptical that it will | be very popular -- most sites won't want to give up Blackberry and | cell phones... Real life follows fiction? There was a Law and Order episode a year or two back in which a high-tech company used some alleged technology like this - a fine mesh of wires over the windows. (An important clue was one of the detectives noticing that the mesh had been disturbed. Someone had replaced the wires in a small region with black thread, then hid a cell-phone repeater outside the window. As I recall, the reason for doing was just your typical hacker you try to stop me, I'll get around you trick.) There were also reports not that long ago of a paint that provided RF shielding. On a more refined basis, there was some kind of material suitable for walls that had embedded antennas. You cut them for a particular frequency range, and they provided very good shielding in that range. There is clearly a demand for this kind of thing. New technologies are making a hash of the old (sometimes not so old!) rules. Two examples: - The day of open access to the Internet from businesses is long is long gone in most places. All kinds of concerns feed into this; a big part is concern about liability when employees access inappropriate sites. This will all seem a bit silly when the penetration of high-speed wireless Internet access reaches reasonable levels. - Insider trading rules have placed all kinds of interesting restrictions on how trading firms do business. In particular, every phone message in and out of sensitive areas is recorded, as is all email. But cell phones, text messaging, and so on bypass all that. I gather some firms are responding by requiring that employees use only company-provided cell phones. (Whether those calls get recorded is another question.) How well they'll be able to maintain such policies, as cell phones morph into multi-function personal devices, is an open question. With all this going on, the desire to just finesse the whole problem by physically blocking signals is certainly only going to grow. Interesting times. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The bank fraud blame game
[ This may well be OT; I leave that to the moderator. ] Leichter, Jerry writes: -+--- | As always, banks look for ways to shift the risk of | fraud to someone - anyone - else. The New Zealand | banks have come up with some interesting wrinkles on | this process. | This is *not* a power play by banks, the Trilateral Commission, or the Gnomes of Zurich. It is the first echo of a financial thunderclap. As, oddly, I said only yesterday, I think that big ticket Internet transactions have become inadvisable and will become more so. I honestly think that the party could be over for e-commerce, with eBay Motors as its apogee. Now what I think I know and what I am about to say are all based on hearsay. It is surely wrong in part, but until I am corrected in public it is true enough for lemonade making. The story begins with E-Trade's 10-Q filing of 17 November, which filing is at [1] and elsewhere. In that 10-Q, we have this paragraph: Other expenses increased 97% to $45.7 million and 55% to $101.9 million for the three and nine months ended September 30, 2006, respectively, compared to the same periods in 2005. These increases were primarily due to fraud related losses during the third quarter of 2006 of $18.1 million, of which $10.0 million was identity theft related. The identity theft situations arose from recent computer viruses that attacked the personal computers of our customers, not from a breach of the security of our systems. We reimbursed customers for their losses through our Complete Protection Guarantee. These fraud schemes have impacted our industry as a whole. While we believe our systems remain safe and secure, we have implemented technological and operational changes to deter unauthorized activity in our customer accounts. In other words, remote exploitation of individual customer's computers, doubtless many of them home machines and the laptops of road warriors, eventually lead to a loss for E-Trade that was material enough to appear on the 10-Q. This is not a pumpdump scheme where rubes are snookered into buying some worthless stock. No, it is the actual entry of trades into legitimate trading systems by legitimate users, only with the special case that those users are actually the alien malware using the captured credentials of the legitimate user and entering the trades from the legitimate users' legitimate machine. As I understand it, some of this malware is clever enough to piggyback sessions that are opened by the legitimate user using the much vaunted 2-factor authentication; thus proving that 2-factor auth is a mere palliative. As you are well aware, stealing data is now and everywhere the name of the game, and we have lots of supporting evidence that such theft is fully professionalized. As one example, the APWG has already shown that phishing e-mails are transmitted in a pattern that suggests the transmitters are enjoying a conventional 5-day work week, and there are many other examples. Mike D'Anseglio, Security Program Director at Microsoft, said two interesting things in the last six months: (1) that 2/3rds of all PCs have unwanted software running on them and (2) that state-of-the-art attack tools cannot be eliminated without a clean install from the raw iron up. Well, ironically due to SOx, as the loss amounts get bigger -- and bigger is an assured eventuality -- then those losses will hit Earnings Per Share, and disclosure from the governance and the financial points of view is thus made requirement as those losses are material. Data security has nothing to do with the disclosure as the disclosure is purely driven by the materiality. So, let's do a little math. E*Trade, call symbol ET, has an approximate market cap of $9.66B with approximately 440M shares outstanding. Their estimated annual earning per share is $1.36. Since the fraud loss goes directly the bottom line, an $18M loss in the one quarter is a $0.04 hit in earning per share for the quarter, which on an expected quarterly earning of $0.34/share is a 12% hit to the quarter. This is sufficiently material that it MUST be disclosed, and thus we have, like it or not, data sharing about the impact of digital security lapse -- even if we do not have data sharing about the mechanism of digital security lapse. What some of the banks now want to do is to have you download fresh code each time you go to trade, code that would theoretically protect the bank from the fact that your (user's) machine is almost surely compromised. To get that protection, such ideas as seizing control of the keyboard from the operating system so that keylogging can't happen while trades are being booked, are being floated. Think about what that would mean -- training users to use their Admin privilege to accept ActiveX controls that strip the OS of this or that subsystem, and to do so in the name of security. --dan P.S., The S.E.C. tackling some Estonian clown for $353,609
Re: Free Rootkit with Every New Intel Machine
Peter Gutmann writes: BitLocker just uses the TPM as a glorified USB key (sealing a key in a TPM is functionally equivalent to encrypting it on a USB key). Since BitLocker isn't tied to a TPM in any way (I'm sure Microsoft's managers could see which way the wind was blowing when they designed it), it's not going to be TPM's killer app. Actually BitLocker can use the TPM's measured boot capability for additional security. This requires a TPM-aware BIOS, which hashes the disk's Master Boot Record into the TPM Platform Configuration Registers before executing it, as well as measuring other system software components. The disk encryption key is sealed to the TPM PCR values and the chip won't release it if the boot sequence is different. This means that if you want to attack by, for example, booting from a Linux Live CD or an external USB drive, the chip won't relase the encryption key even if you guess the PIN right. (Some) details at the BitLocker Drive Encryption Technical Overview page: http://technet2.microsoft.com/WindowsVista/en/library/ba1a3800-ce29-4f09-89ef-65bce923cdb51033.mspx?mfr=true Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: History, context, QKD and the Internet
At 11:08 PM 6/26/2007, John Lowry wrote: ... Also, a small revolution has been taking place while discussion (on this list anyway) has focused on 1st generation QKD. Several very high speed (up to nominal line speed) systems have been proposed. Long-haul all- optical networks are being researched, and some will be built. The problem of authentication is well understood, even it it hasn't been solved. Hmmm, this is very interesting bootstrapping and false matching. 1. You are mentioning 1st generation QKD. Do we have now 2nd generation of QKD? Where the 1st generation QKD was applied and used? Nowhere! What are the upgrades and the new things that 2nd generation QKD has? Our 1st generation of Snake Oil was excellent, but unfortunately was sharply attacked by the people from the field of Cryptology, and consequently it was not broadly accepted. But wait a minute, we have come now with our 2nd generation of Snake Oil. It is even better than the first one, and it is cheaper. Previously if you had to pay $100,000 per year for the secure link, now you have to pay 10 times less i.e. only $10,000. That is $90,000 saving per year, and imagine for what scientific purposes you can spend those $90,000. ... 2. All optical networks are reality and nowadays are built even for home-end users. What that fact has to do with x-th generation of QKD? In your post you are using the success in one field in Physics to advocate possible acceptance of another (Quantum Cryptography). While, the optical physics has and will have one of the crucial roles in modern and future Internet (taking care about the physical layer of the network), QC is trying to offer better solutions (or replace some parts) of a well developed, well established, and well applied scientific field (The field of Cryptology). My opinion is that it won't happen. Dead end. Danilo! -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.472 / Virus Database: 269.9.6/865 - Release Date: 6/24/2007 8:33 AM - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: History, context, QKD and the Internet
John Lowry [EMAIL PROTECTED] writes: The world of computing and communication sure looks different 40+ years later. So I encourage you to look at QKD in context. I know everything is moving in internet time but remember just how recently QKD has been dragged off of the physics optics bench by some engineers to see what can be done with it. Also, a small revolution has been taking place while discussion (on this list anyway) has focused on 1st generation QKD. Several very high speed (up to nominal line speed) systems have been proposed. Long-haul all- optical networks are being researched, and some will be built. The problem of authentication is well understood, even it it hasn't been solved. The issue isn't the speed of the QKD systems, or the distance that they run over. Those are false issues. The issue is that they provide you with much less than conventional technologies give you, and at a high price. Repeating: 1) No one is contending that QKD doesn't work as advertised per se. The problem is that the advertised functionality is not what anyone wants. 2) The technology is a lead balloon. It gives you nothing that you don't already have, but at an unaffordable price, and on top of it, it gives you *much less* than you already have -- for example, it is more or less useless in providing security in an internet context -- the internet is all about getting rid of dedicated point to point connections. Of course, you have to keep up with the literature and not remain stuck in the '80s with BB84. You remember people saying that networks would never work. (I don't remember that kind of statement being made, but never mind.) You encourage us to remember all the things people were negative on but became big hits. I encourage you to remember bubble memory, DCE, jet packs, and assorted other technologies that went nowhere fast. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The bank fraud blame game
| Leichter, Jerry writes: | -+--- | | As always, banks look for ways to shift the risk of | | fraud to someone - anyone - else. The New Zealand | | banks have come up with some interesting wrinkles on | | this process. | | | | This is *not* a power play by banks, the Trilateral Commission, | or the Gnomes of Zurich. It is the first echo of a financial | thunderclap. As, oddly, I said only yesterday, I think that | big ticket Internet transactions have become inadvisable | and will become more so. I honestly think that the party | could be over for e-commerce, with eBay Motors as its | apogee Actually, we don't really disagree with the rest of your message, and I'm not claiming some kind of conspiracy. This isn't really a power play because the banks hold all the cards. Perhaps We're reading different parts of the message I forwarded. Consider: Liability for any loss resulting from unauthorized Internet banking transactions rests with the customer if they have used a computer or device that does not have appropriate protective software and operating system installed and up-to-date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are up-to-date. OK, I could live with that as stated. But: The code also adds: We reserve the right to request access to your computer or device in order to verify that you have taken all reasonable steps to protect your computer or device and safeguard your secure information in accordance with this code. If you refuse our request for access then we may refuse your claim. The delay between when you were defrauded and when they request access is unspecified. Who knows what's happened in the meanwhile? Perhaps as a result of my experience, I stopped using on-line banking, and as a result decided it wasn't worth keeping all the (obviously ineffective) software up to date. This is just too open-ended a requirement. All reasonable steps? Just what *are* all reasonable steps? I think I know more than most people about how to keep systems secure, but I'd be at a loss to make a list that could reasonably be called all reasonable steps. (Actually, my list would probably include don't use IE or Outlook. Is that reasonable?) Bank customers who are unhappy with the new rules may choose to dispense with electronic banking altogether, and return to dealing with tellers at the bank. But it seems that electronic banking and in particular Internet banking has become the convenient choice for consumers, Davidson says. On-line access is on its way to become a necessity. EZ-Pass in New York (electronic toll collection) now charges $2/month if you want them to send you a printed statement - go for all on-line access, and it's free. Hardly a necessity yet, but this is a harbinger. (Meanwhile, the percentage of EZ-Pass only lanes at toll plazas keeps rising. You don't *need* to use EZ-Pass, if you're willing to incur significant delays.) The code also warns users that they could be liable for any loss if they have chosen an obvious PIN or password, such as a consecutive sequence of numbers, a birth date or a pet's name; disclosed a PIN or password to a third party or kept a written or electronic record of it. Similar warnings are already included in the section that deals with ATM and PINs for Eftpos that was issued in 2002. There is nothing in this clause allowing an electronic record to be held in a password-protected cache -- a facility provided by some commercial security applications. This is not just wrong, it's *dangerously* wrong. The code allows banks to use unsolicited email among other media to advise of changes in their arrangements with the customer, but Davidson says they should only utilize their web-based mail systems. It is hardly surprising that some people fall victim to phishing email scams when banks use email as a normal method of communication, and therefore email can be perceived as a valid communication by end users, he says. As we've discussed here many times, banks' mail messages are incredibly hazardous, and teach entirely the wrong things. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On Tue, Jun 26, 2007 at 02:03:29PM -0700, Jon Callas wrote: On Jun 26, 2007, at 10:10 AM, Nicolas Williams wrote: This too is a *fundamental* difference between QKD and classical cryptography. What does this classical word mean? Is it the Quantum way to say real? I know we're in violent agreement, but why are we letting them play language games? I don't mind using classical here. I don't think Newtonian physics (classical) is bad -- it works great at every day human scales. IMO, QKD's ability to discover passive eavesdroppers is not even interesting (except from an intellectual p.o.v.) given: its inability to detect MITMs, its inability to operate end-to-end across across middle boxes, while classical crypto provides protection against eavesdroppers *and* MITMs both *and* supports end-to-end operation across middle boxes. Moreover, the quantum way of discovering passive eavesdroppers is really just a really delicious sugar coating on the classical term denial of service. I'm not being DoSed, I'm detecting a passive eavesdropper! Heh! Indeed: with classical (or non-quantum, or standard, or...) crypto eavesdroppers are passive attackers and passive attackers cannot mount DoS attacks (oh, I suppose that wiretapping can cause some slightly noticeable interference in some cases, but usually that's no DoS), but in QKD passive attackers become active attackers. But it gets worse! To eavesdrop on a QKD link requires much the same effort (splice the fiber) as to be an MITM on a QKD link, so why would any attacker choose to eavesdrop and be detected instead of being an MITM, go undeteceted and get the cleartext they're after? Right, they wouldn't. Attackers aren't stupid, and an attacker that can splice your fibers can probably afford the QKD HW they need to mount an MITM attack. So, really, you need authentication. And, really, you need end-to-end, not hop-by-hop authentication and data confidentiality + integrity protection. This reminds me of Feynman's presentation of Quantum Electro Dynamics, which finished with QED. Has it now been sufficiently established that QKD is not useful that whenever it rears its head we can point folks at archives of these threads and not spill anymore ink? Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]