Formal notice given of rearrangement of deck chairs on RMS PKItanic
From https://wiki.mozilla.org/CA:MD5and1024: December 31, 2010 - CAs should stop issuing intermediate and end-entity certificates from roots with RSA key sizes smaller than 2048 bits [0]. All CAs should stop issuing intermediate and end-entity certificates with RSA key size smaller than 2048 bits under any root. Under no circumstances should any party expect continued support for RSA key size smaller than 2048 bits past December 31, 2013. This date could get moved up substantially if necessary to keep our users safe. We recommend all parties involved in secure transactions on the web move away from 1024-bit moduli as soon as possible. Right, because the problem with commercial PKI is all those attackers who are factoring 1024-bit moduli, and apart from that every other bit of it works perfectly. Peter. [0] This is ambiguously worded, but it's talking about key sizes in EE certs. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Tahoe-LAFS developers' statement on backdoors
http://tahoe-lafs.org/trac/tahoe-lafs/browser/trunk/docs/backdoors.txt Statement on Backdoors October 5, 2010 The New York Times has recently reported that the current U.S. administration is proposing a bill that would apparently, if passed, require communication systems to facilitate government wiretapping and access to encrypted data: http://www.nytimes.com/2010/09/27/us/27wiretap.html (login required; username/password pairs available at http://www.bugmenot.com/view/nytimes.com). Commentary by the Electronic Frontier Foundation (https://www.eff.org/deeplinks/2010/09/government-seeks ), Peter Suderman / Reason (http://reason.com/blog/2010/09/27/obama-administration-frustrate ), Julian Sanchez / Cato Institute (http://www.cato-at-liberty.org/designing-an-insecure-internet/ ). The core Tahoe developers promise never to change Tahoe-LAFS to facilitate government access to data stored or transmitted by it. Even if it were desirable to facilitate such access—which it is not—we believe it would not be technically feasible to do so without severely compromising Tahoe-LAFS' security against other attackers. There have been many examples in which backdoors intended for use by government have introduced vulnerabilities exploitable by other parties (a notable example being the Greek cellphone eavesdropping scandal in 2004/5). RFCs 1984 and 2804 elaborate on the security case against such backdoors. Note that since Tahoe-LAFS is open-source software, forks by people other than the current core developers are possible. In that event, we would try to persuade any such forks to adopt a similar policy. The following Tahoe-LAFS developers agree with this statement: David-Sarah Hopwood Zooko Wilcox-O'Hearn Brian Warner Kevan Carstensen Frédéric Marti Jack Lloyd François Deppierraz Yu Xue Marc Tooley - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
FY;) Stick Figure Guide to AES
Not new, but some probably have missed it. http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote: Right, because the problem with commercial PKI is all those attackers who are factoring 1024-bit moduli, and apart from that every other bit of it works perfectly. _If_ Mozilla and the other browser vendors actually go through with removing all 2048 bit CA certs (which I doubt will happen because I suspect most CAs will completely ignore this), it would have one tangible benefit: (Some of, though unfortunately not nearly all) the old CA certificates that have been floating around since the dawn of time (ie the mid-late 90s), often with poor chains of custody through multiple iterations of bankruptcies, firesale auctions, mergers, acquisitions, and so on, will die around 2015 instead of their current expirations of 2020-2038. Sadly this will only kill about 1/3 of the 124 (!!) trusted roots Mozilla includes by default. -Jack - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote: From https://wiki.mozilla.org/CA:MD5and1024: December 31, 2010 - CAs should stop issuing intermediate and end-entity certificates from roots with RSA key sizes smaller than 2048 bits [0]. All CAs should stop issuing intermediate and end-entity certificates with RSA key size smaller than 2048 bits under any root. [...] Right, because the problem with commercial PKI is all those attackers who are factoring 1024-bit moduli, and apart from that every other bit of it works perfectly. Peter. [0] This is ambiguously worded, but it's talking about key sizes in EE certs. What are EE certs, did you mean EV? -- Viktor. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: What if you had a very good entropy source, but only practical at crypto engine installation time?
Dear all: The PUDEC (Practical Use of Dice for Entropy Collection) scheme has been advanced. The new web page is at http://pudec.connotech.com The main technical advance in this release is the documentation of (deterministic) algorithmic support ( http://pudec.connotech.com/pudec_algo.html ). This development effort uses a structured process as if it targeted FIPS140-2 level 4 certification, hence the release of documentation before reference source code. Plus the PUDEC dice sets are now offered for sale. If you are part of an open source project (GPL) for a cryptographic key management server or an open source HSM and you see a useful feature in self-evident entropy source, don't hesitate to contact me (I would consider an open source contribution if such projects have a reasonable chance of critical mass adoption). Enjoy! Thierry Moreau wrote: See http://www.connotech.com/doc_pudec_descr.html . (OK, it's also practical whenever the server needs servicing by trusted personnel.) Then, you care about the deterministic PRNG properties, the secrecy of its current state, and the prevention of PRNG output replays from an out-of-date saved state. And bingo, you solved the random secret generation issue satisfactorily! Regards, -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, QC, Canada H2M 2A1 Tel. +1-514-385-5691 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Computer health certificate plan indistinguishable from Denial Of Service attack.
Microsoft is sending up a test balloon on a plan to 'quarantine' computers from accessing the Internet unless they produce a 'health certificate' to ensure that software patches are applied, a firewall is installed and configured correctly, an antivirus program with current signatures is running, and the machine is not currently infected with known malware. Apparently in a nod to the fact that on technical grounds this is effectively impossible, the representative goes on to say Relevant legal frameworks would also be needed. as though that would make lawbreakers stop spoofing it. Existing malware already spoofs antivirus software to display current patches, in order to prevent itself from being uninstalled. It is hard to count the number of untestable and/or flat out wrong assumptions built into this idea, and harder still to enumerate all the ways it could go wrong. The article is available at: http://www.bbc.co.uk/news/technology-11483008 Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
On Oct 6, 2010, at 10:48 AM, Victor Duchovni wrote: On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote: From https://wiki.mozilla.org/CA:MD5and1024: December 31, 2010 - CAs should stop issuing intermediate and end-entity certificates from roots with RSA key sizes smaller than 2048 bits [0]. All CAs should stop issuing intermediate and end-entity certificates with RSA key size smaller than 2048 bits under any root. [...] [0] This is ambiguously worded, but it's talking about key sizes in EE certs. What are EE certs, did you mean EV? EE = End Entity, but I don't read the first sentence the way Peter did. I parse it as CAs should stop issuing (intermediate and end-entity certificates) from (roots with RSA key sizes smaller than 2048 bits). That is, if your CA key size is smaller, stop signing with it. Of course, if it's important to stop signing with it, it's equally important to revoke all signatures already made. smime.p7s Description: S/MIME cryptographic signature
English 19-year-old jailed for refusal to disclose decryption key
a 19-year-old just got a 16-month jail sentence for his refusal to disclose the password that would have allowed investigators to see what was on his hard drive. I suppose that, if the authorities could not read his stuff without the key, it may mean that the software he was using may have had no links weaker than the encryption itself -- and that is extraordinarily unusual - an encouraging sign of progress in the field, if of mixed value in the current case. Really serious data recovery tools can get data that's been erased and overwritten several times (secure deletion being quite unexpectedly difficult), so if it's ever been in your filesystem unencrypted, it's usually available to well-funded investigators without recourse to the key. I find it astonishing that they would actually need his key to get it. Rampant speculation: do you suppose he was using a solid-state drive instead of a magnetic-media hard disk? http://www.bbc.co.uk/news/uk-england-11479831 Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
Jack Lloyd ll...@randombit.net writes: On Wed, Oct 06, 2010 at 04:52:46PM +1300, Peter Gutmann wrote: Right, because the problem with commercial PKI is all those attackers who are factoring 1024-bit moduli, and apart from that every other bit of it works perfectly. _If_ Mozilla and the other browser vendors actually go through with removing all 2048 bit CA certs (which I doubt will happen because I suspect most CAs will completely ignore this), it would have one tangible benefit: (Some of, though unfortunately not nearly all) the old CA certificates that have been floating around since the dawn of time (ie the mid-late 90s), often with poor chains of custody through multiple iterations of bankruptcies, firesale auctions, mergers, acquisitions, and so on, will die around 2015 instead of their current expirations of 2020-2038. Sadly this will only kill about 1/3 of the 124 (!!) trusted roots Mozilla includes by default. Another consequence is that people will explore moving to ECC, which is less studied than RSA and appears to be a patent mine-field. As much as I'd like to get rid of old hard coded CAs in commonly used software, I feel there are better ways to achieve that than a policy like this. /Simon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
On Wed, 6 Oct 2010, Matt Crawford wrote: [[...]] I found it amusing that this message was accompanied by an S/MIME certificate which my mail client (alpine) was unable to verify, resulting in the error messages [Couldn't verify S/MIME signature: certificate verify error] [ This message was cryptographically signed but the signature ] [ could not be verified. ] ciao, -- -- Jonathan Thornburg [remove -animal to reply] jth...@astro.indiana-zebra.edu Dept of Astronomy, Indiana University, Bloomington, Indiana, USA Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Formal notice given of rearrangement of deck chairs on RMS PKItanic
On Wed, Oct 06, 2010 at 01:32:00PM -0500, Matt Crawford wrote: That is, if your CA key size is smaller, stop signing with it. You may have missed the next sentence of Mozilla's statement: All CAs should stop issuing intermediate and end-entity certificates with RSA key size smaller than 2048 bits under any root. That is, no matter how long your root key is (the previous sentence stated the requirements about _that_) you may not use it to sign any end-entity certificate whose key size is 2048 bits. Gun: check. Bullets: check. Feet: check. Now they have everything they need to prevent HTTPS Everywhere. Thor - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: English 19-year-old jailed for refusal to disclose decryption key
On 10/06/2010 01:57 PM, Ray Dillinger wrote: a 19-year-old just got a 16-month jail sentence for his refusal to disclose the password that would have allowed investigators to see what was on his hard drive. I am thankful to not be an English subject. I suppose that, if the authorities could not read his stuff without the key, it may mean that the software he was using may have had no links weaker than the encryption itself Or that the authorities didn't want to reveal their capability to break it. Or that they wanted to make an example out of him. Or... -- and that is extraordinarily unusual - an encouraging sign of progress in the field, if of mixed value in the current case. Really serious data recovery tools can get data that's been erased and overwritten several times Really? Who makes these tools? Where do they make that claim? Wouldn't drive manufacturers have heard about this? What would they do once they realized that drives had this extra data storage capacity sitting unused? I see this idea repeated enough that people accept it as true, but no one ever has a published account of one existing or having been used. (secure deletion being quite unexpectedly difficult) Sure, but mainly because of stuff that doesn't get overwritten (i.e., drive firmware remaps sectors which then retain mostly valid data) not because atomic microscopy is available. , so if it's ever been in your filesystem unencrypted, it's usually available to well-funded investigators without recourse to the key. I find it astonishing that they would actually need his key to get it. What makes you think these investigators were well-funded? Or they wouldn't prefer to spend that money on other things? Or that they necessarily would have asked the jailers to release the teen because they'd been successful in decrypting it. Perhaps their plan was to simply imprison him until he confesses? Rampant speculation: do you suppose he was using a solid-state drive instead of a magnetic-media hard disk? SSDs retain info too. Due to the wear leveling algorithms they're quite systematic about minimizing overwrite. But I doubt any of that is an issue in this case. - Marsh - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Anyone know anything about the new ATT encrypted voice service?
ATT debuts a new encrypted voice service. Anyone know anything about it? http://news.cnet.com/8301-13506_3-20018761-17.html (Hat tip to Jacob Applebaum's twitter feed.) -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: English 19-year-old jailed for refusal to disclose decryption key
On 6 October 2010 11:57, Ray Dillinger b...@sonic.net wrote: a 19-year-old just got a 16-month jail sentence for his refusal to disclose the password that would have allowed investigators to see what was on his hard drive. 16 weeks, says the article. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: English 19-year-old jailed for refusal to disclose decryption key
On 06/10/10 19:57, Ray Dillinger wrote: a 19-year-old just got a 16-month jail sentence for his refusal to disclose the password that would have allowed investigators to see what was on his hard drive. Just to correct this: the sentence was 16 weeks, not 16 months. The legislation in question is the Regulation of Investigatory Powers Act of 2000 (RIPA), part III of which has been in force in the UK since 2007. This allows for a maximum sentence of two years for refusing a request that encrypted data be put into an intelligible form. Reference here: http://wiki.openrightsgroup.org/wiki/RIP_Act_Part_III Joss - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: English 19-year-old jailed for refusal to disclose decryption key
On 10/06/2010 03:55 PM, Joss Wright wrote: The .. Regulation of Investigatory Powers Act of 2000 (RIPA), .. allows for a maximum sentence of two years for refusing a request that encrypted data be put into an intelligible form. Five years, if a national security or child indecency case. http://www.legislation.gov.uk/ukpga/2000/23/section/53 Arshad Noor StrongAuth, Inc. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: English 19-year-old jailed for refusal to disclose decryption key
On Thu, Oct 7, 2010 at 5:57 AM, Ray Dillinger b...@sonic.net wrote: a 19-year-old just got a 16-month jail sentence for his refusal to disclose the password that would have allowed investigators to see what was on his hard drive. I suppose that, if the authorities could not read his stuff without the key, it may mean that the software he was using may have had no links weaker than the encryption itself -- and that is extraordinarily unusual - an encouraging sign of progress in the field, if of mixed value in the current case. Really serious data recovery tools can get data that's been erased and overwritten several times (secure deletion being quite unexpectedly difficult), so if it's ever been in your filesystem unencrypted, it's usually available to well-funded investigators without recourse to the key. I find it astonishing that they would actually need his key to get it. Interesting. It's interesting to think about the possibilities some sort of homomorphic cryptosystem would offer here. I.e. it would be arguably useful (from one point of view) if they were able to search the data for specific items, and failing finding items of those types, *then* the fallback is this sentence, otherwise it seems like a pretty trivial way out for anyone wishing to hide bad activity. Rampant speculation: do you suppose he was using a solid-state drive instead of a magnetic-media hard disk? http://www.bbc.co.uk/news/uk-england-11479831 Bear -- silky http://dnoondt.wordpress.com/ Every morning when I wake up, I experience an exquisite joy — the joy of being this signature. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Anyone know anything about the new ATT encrypted voice service?
On 7/10/10 11:19 AM, Perry E. Metzger wrote: ATT debuts a new encrypted voice service. Anyone know anything about it? http://news.cnet.com/8301-13506_3-20018761-17.html (Hat tip to Jacob Applebaum's twitter feed.) JavaScript needs to be enabled: http://www.att.com/gen/press-room?pid=18624cdvn=newsnewsarticleid=31260mapcode=enterprise ATT to Offer First Carrier-Provided, Two Factor Encryption Service for Smartphones ATT Encrypted Mobile Voice Service uses Powerful Combination of Hardware and Software to Enable Voice Calls with High-Level Security Dallas, Texas, October 06, 2010 ATT to Offer First Carrier-Provided, Two Factor Encryption Service for Smartphones ATT Encrypted Mobile Voice Service uses Powerful Combination of Hardware and Software to Enable Voice Calls with High-Level Security Dallas, Texas, October 06, 2010 newsrelease ATT* today launched ATT Encrypted Mobile Voice, the first carrier-provided two factor encryption service, which provides high-level security features for calls on the ATT wireless network. The service is targeted at government agencies, law enforcement organizations, financial services institutions and international businesses. ... ATT Encrypted Mobile Voice combines KoolSpan’s TrustChip® and SRA International’s One Vault Voice™ into the first carrier-provided two-factor encryption solution. TrustChip is a fully hardened, self-contained crypto engine inserted into the smartphone’s microSD slot. Embedded with ATT TrustGroup, the KoolSpan TrustChip offers the strength of additional hardware authentication, enables encrypted calling interoperability with a defined group of other ATT TrustGroup users and can be managed over-the-air. ... ATT Encrypted Mobile Voice supports BlackBerry® smartphones and Windows® Phones on the ATT wireless network. Unlike other encrypted voice systems, ATT Encrypted Mobile Voice is not limited by availability of legacy Circuit Switched Data coverage and can operate in the over 190 countries globally where ATT provides data roaming. ATT Encrypted Mobile Voice meets the government information classification standards for Controlled Unclassified Information, offering The National Institute of Standards and Technology (NIST) FIPS – 140-2 validation. ... --- It would appear to be susceptible to the FBI's proposed law on making plain text available. It's OEM'd: http://www.koolspan.com/products/trustchip.html http://www.koolspan.com/images/stories/docs/KoolSpan_TrustChip_Secured_Solutions_Secure_Voice.pdf http://www.koolspan.com/images/stories/docs/KoolSpan_TrustChip.pdf http://www.koolspan.com/images/stories/docs/KoolSpan_TrustCenter.pdf Linux is supported in the TrustChip Developer Kit http://www.koolspan.com/products/developer-kit.html AES-256 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Anyone know anything about the new ATT encrypted voice service?
On Oct 6, 2010, at 6:19 01PM, Perry E. Metzger wrote: ATT debuts a new encrypted voice service. Anyone know anything about it? http://news.cnet.com/8301-13506_3-20018761-17.html (Hat tip to Jacob Applebaum's twitter feed.) http://www.att.com/gen/press-room?pid=18624cdvn=newsnewsarticleid=31260mapcode=enterprise says a bit more. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com