Re: Who's afraid of Mallory Wolf?
On Monday, Mar 24, 2003, at 18:57 US/Eastern, Ed Gerck wrote: I'm sorry to say it but MITM is neither a fable nor restricted to laboratory demos. It's an attack available today even to script kiddies. For example, there is a possibility that some evil attacker redirects the traffic from the user's computer to his own computer by ARP spoofing. With the programs arpspoof, dnsspoof and webmitm in the dsniff package it is possible for a script kiddie to read the SSL traffic in cleartext (list of commands available if there is list interest). For this attack to work the user and the attacker must be on the same LAN or ... the attacker could be somewhere else using a hacked computer on the LAN -- which is not so hard to do ;-) This is good info! ... Clearly, the browsers should not discriminate against cert-less browsing opportunities The only sign of the spoofing attack is that the user gets a warning about the certificate that the attacker is presenting. It's vital that the user does not proceed if this happens -- contrary to what you propose. True. Based on his first post however I think that IanG is saying something like: 1. Presently 1% of Internet traffic is protected by SSL against MITM and eavesdropping. 2. 99% of Internet traffic is not protected at all. 3. A significant portion of the 99% could benefit from protection against eavesdropping but has no need for MITM protection. (This is a priori a truth, or the traffic would be secured with SSL today or not exist.) 4. The SSL infrastructure (the combination of browsers, servers and the protocol) does not allow the use of SSL for privacy protection only. AnonDH is not supported by browsers and self-signed certificates as a workaround don't work well either. 5. The reason for (4) is that the MITM attack is overrated. People refuse to provide the privacy protection because it doesn't protect against MITM. Even though MITM is not a realistic attack (2), (3). (That is not to say that (1) can do without MITM protection. I suspect that IanG agrees with this even though his post seemed to indicate the contrary.) 6. What is needed is a system that allows hassle-free, incremental deployment of privacy-protecting crypto without people whining about MITM protection. Now, this is could be achieved by enabling AnonDH in the SSL infrastructure and making sure that the 'lock icon' is *not* displayed when AnonDH is in effect. Also, servers should enable and support AnonDH by default, unless disabled for performance reasons. BTW, this is NOT the way to make paying for CA certs go away. A technically correct way to do away with CA certs and yet avoid MITM has been demonstrated to *exist* (not by construction) in 1997, in what was called intrinsic certification -- please see www.mcg.org.br/cie.htm Phew, that is a lot of pages to read (40?). Its also rather though material for me to digest. Do you have something like an example approach written up? I couldn't find anything on the site that did not require study. Cheers, Jeroen -- Jeroen C. van Gelderen - [EMAIL PROTECTED] The python has, and I fib no fibs, 318 pairs of ribs. In stating this I place reliance On a séance with one who died for science. This figure is sworn to and attested; He counted them while being digested. -- Ogden Nash - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Who's afraid of Mallory Wolf?
On Tuesday, Mar 25, 2003, at 12:28 US/Eastern, bear wrote: On Tue, 25 Mar 2003, Anne Lynn Wheeler wrote: the other scenario that has been raised before is that the browsers treat all certification authorities the same aka if the signature on the certificate can be verified with any of the public keys in a browser's public key table ... it is trusted. in effect, possibly 20-40 different manufactures of chubb vault locks with a wide range of business process controls ... and all having the same possible backdoor. Furthermore, the consumer doesn't get to choose which chubb lock is being chosen. Of course the consumer gets to make that choice. I can go into my browser's keyring and delete root certs that have been sold, ever. And I routinely do. A fair number of sites don't work for me anymore, but I'm okay with that. Go tell that to Joe Average. Or your mom. Or my sister. Or the average MSN user. You know, the insignificant group of people that make up the majority of the Internet population these days. If the lock icon is displayed it is safe. Of course the consumer doesn't get to choose. Just like the consumer never, ever gets to use all of the features on his VCR[*]. This is an software agent deficiency. A UI issue: presently the UI doesn't facilitate the consumer in making that choice. Cheers, -J [*] I'm *not* talking about TiVo here, just about old-fashioned VCRs. -- Jeroen C. van Gelderen - [EMAIL PROTECTED] Be precise in the use of words and expect precision from others -- Pierre Abelard - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Keysigning @ CFP2003
On Monday, Mar 24, 2003, at 11:00 US/Eastern, Ian Grigg wrote: On Saturday 22 March 2003 17:12, Douglas F. Calvert wrote: I will be organizing a keysigning session for CFP2003. Please submit your keys to [EMAIL PROTECTED] and I will print out sheets with key information in order to speed up the process. Bring a photo ID and a copy of your key information so that you can verify what is on the printout. A list of submitted keys and a keyring will be available on: I must be out of touch - since when did PGP key signing require a photo id? It's rather efficient if you want to sign a large number of keys of people you mostly do not know personally. -J -- Jeroen C. van Gelderen - [EMAIL PROTECTED] War prosperity is like the prosperity that an earthquake or a plague brings. The earthquake means good business for construction workers, and cholera improves the business of physicians, pharmacists, and undertakers; but no one has for that reason yet sought to celebrate earthquakes and cholera as stimulators of the productive forces in the general interest. -- Ludwig von Mises - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Who's afraid of Mallory Wolf?
On Monday, Mar 24, 2003, at 11:37 US/Eastern, Peter Clay wrote: On Sun, 23 Mar 2003, Ian Grigg wrote: Consider this simple fact: There has been no MITM attack, in the lifetime of the Internet, that has recorded or documented the acquisition and fraudulent use of a credit card (CC). (Over any Internet medium.) How do you view attacks based on tricking people into going to a site which claims to be affiliated with e.g. Ebay or Paypal, getting them to enter their login information as usual, and using that to steal money? It's not a pure MITM attack, but the current system at least makes it possible for people to verify with the certificate whether or not the site is a spoof. Correct. On the other hand, in a lot of cases people cannot be expected to do the verification. This shows in the number of people that can be tricked into being spoofed out of their passwords, even when certificates are deployed. That is not an argument against certificates though, it is (partially) an argument against broken user interfaces. Just out of interest, do you have an economic cost/benefit analysis for the widespread deployment of gratuitous encryption? What makes you say it is gratuitous? Or: how can you state my privacy is gratuitous? It's just not that important. If your browsing privacy is important, you're prepared to click through the alarming messages. If the value of privacy is less than the tiny cost of clicking accept this certificate forever for each site, then it's not a convincing argument for exposing people who don't understand crypto to the risk of MITM. This is illogical. Even if a server operator would prefer to allow unauthenticated encryption, he cannot do so without annoying 90% of his customers because they too will be getting these alarming messages. In general, if my browsing privacy is important to me and the server operator is willing to accomodate me, he cannot do so. This however still does not constitute an argument against certificates. It can be morphed as an argument against browsers not supporting Anonymous-DH. (Note that I'm favoring treating sites offering ADH the same as sites offering a certificate. Each offers different functionality which should be distinguishable in the GUI.) Cheers, -J -- Jeroen C. van Gelderen - [EMAIL PROTECTED] The python has, and I fib no fibs, 318 pairs of ribs. In stating this I place reliance On a séance with one who died for science. This figure is sworn to and attested; He counted them while being digested. -- Ogden Nash - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft: Palladium will not limit what you can run
On Thursday, Mar 13, 2003, at 21:45 US/Eastern, Jay Sulzberger wrote: On Thu, 13 Mar 2003, Hermes Remailer wrote: The following comes from Microsoft's recent mailing of their awkwardly named Windows Trusted Platform Technologies Information Newsletter March 2003. Since they've abandoned the Palladium name they are forced to use this cumbersome title. Hopefully this will shed light on the frequent claims that Palladium will limit what programs people can run, or take over root on your computer, and similar statements by people who ought to know better. It is too much to expect these experts to publicly revise their opinions, but perhaps going forward they can begin gradually to bring their claims into line with reality. The Xbox will not boot any free kernel without hardware modification. The Xbox is an IBM style peecee with some feeble hardware and software DRM. and sold by Microsoft below cost (aka subsidized). With the expectation that you will be buying Microsoft games to offset the initial loss. (You don't have a right to this subsidy, it is up to Microsoft to set the terms here.) A Palladiated box is an IBM style peecee with serious hardware and software DRM. and sold by numerous vendors. With no expectations like the ones above. So, a fortiori, your claim is false. So, a fortiori you are comparing apples with oranges. Or you may have left out the part of your argument that bridges this gap. Obviously a vendor can restrict what kind of software runs on the hardware he sells, either by contract or trough technical means. In the latter case the consumer is of course free to circumvent the barriers, provided that he lives in a free country. If he doesn't like the vendor's policy, he is of course free to vote with his wallet. Your conclusion may or may not be warranted but it can definitely not be drawn from this 3-sentence argument. Cheers, -J -- Jeroen C. van Gelderen - [EMAIL PROTECTED] They accused us of suppressing freedom of expression. This was a lie and we could not let them publish it. -- Nelba Blandon, Nicaraguan Interior Ministry Director of Censorship - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Implementation guides for DH?
Adam,
This may be of use:
http://citeseer.nj.nec.com/anderson96minding.html
Over the last year or two, a large number of attacks have been found
by the authors and others on protocols based on the discrete logarithm
problem, such as ElGamal signature and Diffie Hellman key exchange.
These attacks depend on causing variables to assume values whose
discrete logarithms can be calculated, whether by forcing a protocol
exchange into a smooth subgroup or by choosing degenerate values
directly. We survey these attacks and discuss how to build systems that
are robust against...
@inproceedings{ anderson96minding,
author = Anderson and Vaudenay,
title = Minding Your p's and q's,
booktitle = {ASIACRYPT}: Advances in Cryptology -- {ASIACRYPT}:
International Conference on the Theory and Application of Cryptology,
publisher = LNCS, Springer-Verlag,
year = 1996,
url = citeseer.nj.nec.com/anderson96minding.html }
Cheers,
-J
On Wednesday, Jan 1, 2003, at 13:53 US/Eastern, Adam Shostack wrote:
I'm looking for a list of common implementation flaws in DH. Things
like: How to check the key the other side sends, what are acceptable
values for p, etc?
Any pointers?
Adam
--
It is seldom that liberty of any kind is lost all at once.
-Hume
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to
[EMAIL PROTECTED]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Thanks, Lucky, for helping to kill gnutella
On Friday, Aug 9, 2002, at 13:05 US/Eastern, AARG!Anonymous wrote: If only... Luckily the cypherpunks are doing all they can to make sure that no such technology ever exists. They will protect us from being able to extend trust across the network. They will make sure that any open network like Gnutella must forever face the challenge of rogue clients. They will make sure that open source systems are especially vulnerable to rogues, helping to drive these projects into closed source form. This argument is a straw man but to be fair: I am looking forward to your detailed proof that the only way to protect a Gnutella-like network from rogue clients is a Palladium-like system. You are so adamant that I have to assume you have such proof sitting right on your desk. Please share it with us. -J - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Welome to the Internet, here's your private key
You sound surprised? I recently asked my bank[1] for a solvency statement on a personal account and they responded that they were not allowed to provide such statements. When pressed for an explanation I was told that handing out those statements caused them too much litigation. Apparently when the bank states that Alice has been a customer since 23-01-1980 and as of 12-12-1999 her account is in good standing. they can (and have indeed been) be sued when Alice goes bankrupt in 2002. This despite the fact that the statement obviously does not make any claim about Alice in 2002. Now, the bank may very well win the court case, or they may not. Whatever the outcome, it will cost them. The moral of the story is: when the legal system allows for silly cases like this, alternative protective measures[2] will be put in place, such as not handing out solvency statements[3], or forcing a user to accept a CA-generated private key. The problem here is not with the technical competence of the CA but rather with the CA being held liable and being forced to mitigate the risk of losing lots of money. Technically speaking, having the CA generate the private keys allows the user to repudiate signatures made with the key. After all, the CA (or one of its employees) could have leaked the key or have signed stuff with it. Practically speaking this would probably be solved by passing an additional law that declares CAs trustworthy by definition. After all, if you don't pass such a law, the PKI cannot work in the current legal framework. And CAs are run by the good people, right? What is wrong with effective key escrow for signature keys!? ;-p We do not even want to think about the conflicts of interest: what incentive is there for a CA to report that it lost a user's private key? -J [1] ABN-AMRO. [2] Alternative because the legal system is supposed to protect the honest party here but obviously fails. [3] The bank does have provisions for providing solvency statements on business accounts. They have insurance and make you pay (indirectly). On Monday, February 4, 2002, at 08:45 , Jaap-Henk Hoepman wrote: It's worse: it's even accepted practice among certain security specialists. One of them involved in the development of a CA service once told me that they intended the CA to generate the key pair. After regaining consciousness I asked him why he thought violating one of the main principles of public key cryptography was a good idea. His answer basically ran as follows: if the CA is going to be liable, they want to be sure the key is strong and not compromised. He said that the PC platform of an ordinary user simply wasn't secure/trusted enough to generate keys on. The system might not generate `good enough' randomness, or might have been compromised by a trojan. Jaap-Henk On Sun, 3 Feb 2002 15:09:57 +0100 [EMAIL PROTECTED] writes: It is accepted practice among security people that you generate your own private key. It is also, unfortunately, accepted practice among non-security people that your CA generates your private key for you and then mails it to you as a PKCS #12 file (for bonus points the password is often included in the same or another email). Requests to have the client generate the key themselves and submit the public portion for certification are met with bafflement, outright refusal, or at best grudging acceptance if they're big enough to have some clout. This isn't a one-off exception, this is more or less the norm for private industry working with established (rather than internal, roll-your-own) CAs. This isn't the outcome of pressure from shadowy government agencies, this is just how things are done. Be afraid. -- Jaap-Henk Hoepman | Come sail your ships around me Dept. of Computer Science | And burn your bridges down University of Twente | Nick Cave - Ship Song Email: [EMAIL PROTECTED] === WWW: www.cs.utwente.nl/~hoepman Phone: +31 53 4893795 === Secr: +31 53 4893770 === Fax: +31 53 4894590 PGP ID: 0xF52E26DD Fingerprint: 1AED DDEB C7F1 DBB3 0556 4732 4217 ABEF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Jeroen C. van Gelderen - [EMAIL PROTECTED] Economics is a theoretical science and as such abstains from any judgement of value. It is not its task to tell people what ends they should aim at. It is a science of the means to be applied for attainment of ends chosen, not, to be sure, a science of the choosing of ends. Ultimate decisions, the valuations and the choosing of ends, are beyond the scope of any science. Science never tells a man how he should act; it merely shows how a man must act if he wants to attain definite ends. -- Ludwig von Mises
