Quantum Crypto broken again
A failure in implementation leads to the ability to eavesdrop on a quantum-secrecy based key exchange on 2/3 of the types of quantum equipment used. From: http://technology.newscientist.com/article/dn14866-laser-cracks-unbreakable-quantum-communications.html Makarov and colleagues from Sweden and Russia have shown that Eve could control Bob's equipment, so that they both decode exactly the same digits from Alice's transmission...The method exploits the way a common type of photon counter can have its sensitivity reduced by a very bright flash of light. The attack begins when Eve fires a pulse of laser light to all four detectors in Bob's equipment...[Eve leverages this into getting the key] by sending on a sequence of encoded photons that are identical to the ones she receives from Alice, Eve can safely intercept a message without leaving the tell-tale quantum errors...Makarov and colleagues have now uncovered such vulnerabilities in two of the three types of quantum equipment commonly used. They are now investigating ways to solve the flaw without introducing more weaknesses. A paper, Can Eve control PerkinElmer actively-quenched single-photon detector? is available at http://arxiv.org/ftp/arxiv/papers/0809/0809.3408.pdf. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Adam Savage talks about Mythbuster attempt at RFID
Apparently credit card institutions don't want Mythbusters near their RFID technology. Transcribed from http://www.youtube.com/watch?v=-St_ltH90Oc: Were going to do RFID on several levels, you know how hackable, how reliable, how trackable, etc. etc. And we one of our researchers called up Texas Instruments and they arranged a conference call between I think Tory and the head producer for the other team Linda Wolkovitch and one of the technicians for Texas Instruments. We were supposed to have a conference call to talk about the technology on like Tuesday at 10am. On Tuesday at 10am Linda and Tory get on the phone and Texas Instruments comes on along with chief legal council for American Express Visa, Discover, and everybody else. And I get chills just as I describe it. They were way way outgunned. And they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was. And Discovery backed way down being a large cooperation being dependant on the revenue of the advertisers. And its on Discovery's radar and they wont let us go near it. So, I'm sorry its just one of those things but man that was..Tory still gets a little white when he describes that phone conversation. -Michael - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: road toll transponder hacked
On Tue, Aug 26, 2008 at 9:24 AM, Perry E. Metzger [EMAIL PROTECTED] wrote: http://www.technologyreview.com/Infotech/21301/?a=f From the article: other toll systems, like E-Z Pass and I-Pass, need to be looked at too A couple years ago I got a letter from E-Z Pass a few days after I used my transponder in my new car without registering my new car. They gave me a grace period to register before making me pay some sort of penalty. So, I believe, at least for E-Z Pass, the attack would have to include cloning the license plate and pictures may still be available whenever a victim realizes they have been charged for trips they did not take. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [p2p-hackers] IETF rejects Obfuscated TCP
May I ask what you're trying to accomplish? I assume http://code.google.com/p/obstcp/ which uses the TCP connection setup to do a key agreement. Slick but apparently susceptible to DoS. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Voting machine security
On Fri, Aug 15, 2008 at 11:57 AM, John Ioannidis [EMAIL PROTECTED] wrote: This just about sums it up: http://xkcd.com/463/ Only slightly better then suggested by the comic. McAfee anti-virus software was on the servers, not the DRE voting machines themselves. From http://www.middletownjournal.com/n/content/oh/story/news/local/2008/08/06/ddn080608votingweb.html Premier spokesman Chris Riggall had not seen the counterclaim [breach-of-contract lawsuit counterclaim filed by the Ohio Secretary of State] and declined comment on it. But he blamed the vote tabulation problems on McAfee anti-virus software on computer servers. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Can we copy trust?
On Mon, Jun 2, 2008 at 12:37 PM, Ed Gerck [EMAIL PROTECTED] wrote: In the essay Better Than Free, Kevin Kelly debates which concepts hold value online, and how to monetize those values. See www.kk.org/thetechnium/archives/2008/01/better_than_fre.php Kelly's point can be very useful: *When copies are free, you need to sell things which can not be copied.* The problem that I see and present to this list is when he discusses qualities that can't be copied and considers trust as something that cannot be copied. Kelly says trust cannot be copied at the top of his missive then doesn't list it as one of the eight generatives (I may be missing something but I think generative is the wrong word for something that cannot be copied but Kelly makes up his own definition for generative as something generated uniquely in place). Well, in the digital economy we had to learn how to copy trust and we did. For example, SSL would not work if trust could not be copied. After this list has destroyed the as implemented SSL model of trust over and over again, I'd be wary of claiming that SSL allows trust to be copied. Even so, SSL doesn't really copy trust, it works by only trusting the root. You don't have to trust the target site's self assertions about its own identity because you trust the root to only validate for sites that are what they claim to be. On Mon, Jun 2, 2008 at 3:29 PM, Ed Gerck [EMAIL PROTECTED] wrote: A copy is something identical. So, in fact you can copy that server cert to another server that has the same domain (load balancing), and it will work. Web admins do it all the time. The user will not notice any difference in how the SSL will work. Copying server certificates isn't copying trust either. In this case all servers with the same certificate are the same entity - at least to whatever needs to trust it. This whole thing with SSL and certificates is a red herring when it comes to copying trust. When I trust a site, that site doesn't have the trust, I do. To copy that trust, albeit with low fidelity, I merely have to communicate that trust to some other person. There are sites on the net that allow me to communicate my trust to others. eBay is probably making the most money at it with their seller reputation system. Sellers with a better reputation will attract more business and sell quicker and at higher prices. eBay makes more money when more product moves at higher prices but it cannot inflate seller's reputations because that would instantly be recognized by buyers and eBay would become a pariah and some other site would take over. Other sites like Amazon, Bizrate, and Angie's List provide similar trust distribution services with different underlying business models. This is a trust model that appears to work. If a eBayish/Verisigny company did an OCSP-like service that returned a current eBay-like reputation number for the trustworthiness of the site in question, I don't think we would need band aids like PetNames or even a hierarchical PKI. Sites could just use self-signed certificates with a field pointing to their reputation responder. Instead of trusted root certificates, browsers could have trusted reputation responder certificates. Microsoft would charge reputation responders to include their certificates, reputation responders would charge companies to maintain their reputations, everybody would make money. When a reputation responder goes bad, slashdot would have fun, Microsoft would pull their cert, there will be some vulnerable users that don't ever get updated responder certificate lists, and the entities that had trust housed at the bad responder will have to generate new certs and rebuild their reputation elsewhere. This, of course, doesn't have a chance of occuring because SSL works good enough and people will ignore the bad reputation warnings just like they ignore SSL warnings now. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Can we copy trust?
On Tue, Jun 3, 2008 at 1:05 PM, Ed Gerck [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: We see that the trust relationship represented by that SSL cert can be copied without any loss, as many times as you wish My understanding is that an SSL certificate is only a method to carry the assertion that the holder of the private key is the the subject named in the certificate (with possible limitations on the allowed uses of the private key). By using the certificate, one does not trust the subject - one does trust the signer of the certificate as an entity that verified the subject named in the certificate represents the actual subject (this is true even for self signed certificates grin/). Copying the SSL certificate does not copy trust but sometimes copying some certificates do copy trust. Say Alice browses around the web looking to buy a widget and when her browser hits a particular HTTPS protected site, it pops up an untrusted certificate warning. Alice goes and moves on to another site. Bob goes to the same site and his browser doesn't pop up the warning because Microsoft has automatically updated his computer's trusted CAs list. Bob's browser trusts the site and Bob trusts his browser so Bob buys the widget. Alice's browser didn't trust the site, and Alice, being a remarkable woman, actually paid attention to her browser and moved on. So we see, the trusted CA certificates do carry trust (heck, trusted is part of the name), and, when Microsoft copied the new trusted CA certificate into Bob's computer, Microsoft managed to copy trust. IT departments put corporate trusted CA certificates in employees computers. The US DoD puts their trusted root certificates in DoD computers. All these actions copy trust with high fidelity. But this method rings of an edict from on high, Thou shalt trust These methods still don't have the: // copy Alice's trust in Charlie to Bob Copy(Alice[trust--Charlie], Bob) capability. The low fidelity ways of Epinions and eBay seem to be the only examples I can come up with that allow for that type of trust copying. For example: // copy the trust in Charlie a large group of eBayers has to Bob MaybeCopy(eBayClaim.LargeGroup[trust--Charlie], Bob) The copy may or may not happen depending on Bob's feelings about the size of the group or the extent of the trust. Of course, the eBayesque trust copying happen in wetware. To move it to hardware would require an online protocol and method to register trust. I can see shades of the old PGP web-of-trust with added subtleties for timeliness and dispute resolution. As to another point of your comment, the problem most people have with PKI is not that SSL does not work. SSL does not even need PKI. I meant SSL as we use it - I believe the vast majority of SSL use involves a hierarchical PKI. I have rarely seen the use of pre-shared keys or self-signed certificates (which is technically still a PKI). -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 2factor
On Wed, Apr 9, 2008 at 12:59 PM, Leichter, Jerry [EMAIL PROTECTED] wrote: Anyone know anything about a company called 2factor (2factor.com)? They're pushing a system based on symmetric cryptography with, it appears, some kind of trusted authority. Factor of 100 faster than SSL. More secure, because it authenticates every message. No real technical data I can find on the site, and I've never seen a site with so little information about who's involved. (Typically, you at least get a list of the top execs.) Some ex-spooks? Pure snake oil? Somewhere in between? Google says: 2factor Inc. 1540 South Holland-Sylvania Road Maumee, OH 43537 Mark O. Wittenmyer, Chairman David M. Burns, Chief Executive Officer Raymond A. Romagnolo, Executive Vice President 2factor, Inc. BOARD OF DIRECTORS Mark O. Wittenmyer -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 2factor
On Wed, Apr 9, 2008 at 12:59 PM, Leichter, Jerry [EMAIL PROTECTED] wrote: Anyone know anything about a company called 2factor (2factor.com)? They're pushing a system based on symmetric cryptography with, it appears, some kind of trusted authority. Factor of 100 faster than SSL. More secure, because it authenticates every message. No real technical data I can find on the site, and I've never seen a site with so little information about who's involved. (Typically, you at least get a list of the top execs.) Some ex-spooks? Pure snake oil? Somewhere in between? More googling and this seems to be the technology: http://www.wipo.int/pctdb/en/wo.jsp?wo=2008030523 and http://www.freshpatents.com/Method-and-system-for-performing-perfectly-secure-key-exchange-and-authenticated-messaging-dt20060216ptan20060034456.php Which seem to be aimed at a drop in replacement for SSL (with a working example using Firefox and Apache). They seem to rest on a key exchange or agreement based on a shared secret. Take this analysis with a grain of salt - I just gave the patent and application a quick scan. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [tahoe-dev] Surely M$ can patent this process?
On Jan 27, 2008 11:18 AM, zooko [EMAIL PROTECTED] wrote: [adding Cc: p2p-hackers and cryptography mailing lists as explained below; Please trim your follow-ups as appropriate.] On Jan 26, 2008, at 9:44 PM, Gary Sumner wrote: Surely there must be prior art on this technique to refute this patent? That's an interesting question, and I'm carbon-copying the p2p- hackers and cryptography mailing lists to ask if anyone knows. FYI: http://www.opencm.org/papers/cpcms2001.pdf CPCMS: A Configuration Management System Based on Cryptographic Names. Jonathan S. Shapiro, John Vanderburgh, Systems Research Laboratory, Johns Hopkins University. Appeared in the 2002 USENIX Annual Technical Conference -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Earliest indication of Prime numbers
From a fun article on the history of computing http://www.neatorama.com/2008/01/25/the-wonderful-world-of-early-computing The 20,000-year-old bone revealed that early civilization had mastered arithmetic series and even the concept of prime numbers. This predates the Egyptian and Greek references to prime number knowledge I have heard about by a wide margin. Unfortunately, the article doesn't go into any more detail then the quote above. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: No PAL please, we're British
On Nov 15, 2007 2:55 PM, [EMAIL PROTECTED] wrote: According to this BBC story until fairly recently the British military refused to have PALs on nuclear weapons. [SNIP] From the story: The Bomb is actually armed by inserting a bicycle lock key into the arming switch and turning it through 90 degrees. I wonder if they knew how to defeat it with a Bic pen? (see http://www.wired.com/culture/lifestyle/news/2004/09/64987) -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Rockville MD e-vote glitch
Not really crypto, but from http://www.gazette.net/stories/110707/rocknew00608_32357.shtml election judges throughout the city noticed voters whose street addresses start with the number 5 were being denied their voter cards because the database wrongly counted them as absentee voters...Those whose street numbers start with the number 5 were designated absentee ballot applicants as part of a state test program that should not have been forwarded for Election Day use. Luckily it was an off-year election so: only about 10 people were either sent to City Hall to clear up the matter or walked away from the polls without casting a ballot My house number starts with 3 :-) -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Elcomsoft trying to patent faster GPU-based password cracker
From: http://www.elcomsoft.com/EDPR/gpu_en.pdf Moscow, Russia - October 22, 2007 - ElcomSoft Co. Ltd. has discovered and filed for a US patent...Using the brute force technique of recovering passwords, it was possible, though time-consuming, to recover passwords from popular applications. For example...Windows Vista uses NTLM hashing by default, so using a modern dual-core PC you could test up to 10,000,000 passwords per second, and perform a complete analysis in about two months. With ElcomSoft's new technology, the process would take only three to five days..Today's [GPU] chips can process fixed-point calculations. And with as much as 1.5 Gb of onboard video memory and up to 128 processing units, these powerful GPU chips are much more effective than CPUs in performing many of these calculations...Preliminary tests using Elcomsoft Distributed Password Recovery product to recover Windows NTLM logon passwords show that the recovery speed has increased by a factor of twenty, simply by hooking up with a $150 video card's onboard GPU. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Bid on a SnakeOil Crypto Algorithm Patent
On 10/4/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On 10/3/07, Saqib Ali [EMAIL PROTECTED] wrote: [SNIP] or both private keys but that never seems to get mentioned I take it back, there is only one private key but math makes multiple temporary public keys out of it. -Michael - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
On 6/25/07, Greg Troxel [EMAIL PROTECTED] wrote: 1) Do you believe the physics? (Most people who know physics seem to.) For those who would like to know a little more about the physics, see: http://www.icfo.es/images/publications/J05-055.pdf, Quantum Cloning, Valerio Scarani, Sofyan Iblisdir, and Nicolas Gisin. This is a late 2005 review and of eavesdropping techniques for QKD. Much of the terminology of quantum physics is unfamiliar to me but I think the paper states that Eve could theoretically get 5/6 of the bits through cloning and to keep this from happening, Alice and Bob have to assume an eavesdropper if more than 11% of the bits have errors. also: http://w3.antd.nist.gov/pubs/Mink-SPIE-One-Time-Pad-6244_22.pdf, One-Time Pad Encryption of Real-Time Video1, Alan Mink, Xiao Tang, LiJun Ma, Tassos Nakassis, Barry Hershman, Joshua C. Bienfang, David Su, Ron Boisvert, Charles W. Clark and Carl J. Williams - a more accessible paper describing a working system where NIST claims bit error rates in the 3% range while generating key material at greater than 2Mb/s. Its not clear whether the bit error rate is before or after an error correction stage but the paper discusses how bit error rate reduces the overall result after privacy amplification so I believe they have thought of Eve cloning photons in flight. -Michael - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Site has flash file that shows Enigma operation as you type
http://enigmaco.de has a Flash-based example of the Enigma processing with a short history and tutorial. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Private Key Generation from Passwords/phrases
On 1/11/07, Joseph Ashwood [EMAIL PROTECTED] wrote: 112 bits of entropy is 112 bits of entropy...anything else and you're into the world of trying to prove equivalence between entropy and work which work in physics but doesn't work in computation because next year the work level will be different and you'll have to redo all your figures. Hmm. All we usually have protecting us is work. Once a little bit of cipher text gets out, on an SSL session or a PGP encrypted email or the like, that bit of cipher text is enough information to unambiguously determine the key. It may take a lot of work to determine the key but there is no uncertainty left in the key. That is, once used for a bit of encrypting where the cipher text becomes known, the entropy of that key is _zero_. Since there is no unguessibility left in the key, the only thing protecting the cipher text is the amount of work it takes to determine the key. It seems Matthias has realized, prudently, that his system has a weak link at the passphrase and he is looking to strengthen that. The ways to do that include requiring a ridiculously long passphrase or increasing the work required to go from the passphrase to the key. Both methods Matthias has chosen increase the work required to break the system. As James pointed out, the proposed 76-bit passphrase is a bit much to expect anybody to remember and it is always better to not derive keys from passwords when the system allows. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Read two biometrics, get worse results - how it works
On 10/19/05, R.A. Hettinga [EMAIL PROTECTED] wrote: [EDIT] Daugman presents (http://www.cl.cam.ac.uk/users/jgd1000/combine/combine.html) the two rival intuitions, then does the maths. On the one hand, a combination of different tests should improve performance, because more information is better than less information. But on the other, the combination of a strong test with a weak test to an extent averages the result, so the result should be less reliable than if one were relying solely on the strong test. I believe the Daugman results are correct only when one accepts results where the tests disagree. That is, if the first test returns positive and the second test returns negative, you chose the overall results to be positive or negative as opposed to do over until they agree. Of course, in real life with knowledge of the physics of the tests and the ability to pull out non-boolean results, one may be able to remove many of the do over results to keep from annoying the test subjects. -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]