Re: An interesting new computer security problem
At 12:58 PM 9/27/04 -0600, Anne Lynn Wheeler wrote: At 11:03 PM 9/24/2004, Peter Gutmann wrote: A few days ago I was chatting with some people working on a government IT project who had a rather complex security problem that they needed help with. They have a large number of users with Windows dumb terminals (think Xterms but for Windows) connected to a central ASP server, which runs various mutually untrusted apps from different vendors. Their problem was that they needed a means of securing the individual apps from each other. I told them that they were in luck, and this exact problem had already been addressed before. I'd drop off the detailed technical specs for the solution when I next saw them, they could recognise it by its bright orange cover. Put each app on a separate machine, and don't put any networking equiptment in the machines. Simple. = 36 Laurelwood Dr Irvine CA 92620-1299 VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP ICBM: -117.7621, 33.7275 PGP PUBLIC KEY: by arrangement Send plain ASCII text not HTML lest ye be misquoted. Really. -- Don't 'sir' me, young man, you have no idea who you're dealing with Tommy Lee Jones, MIB - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
IBM's original S-Boxes for DES?
Hi, A number of sources state that the NSA changed the S-Boxes (and reduced the key size) of IBM's original DES submission, and that these change were made to strengthen the cipher against differential/linear/?? cryptanalysis. Does anybody have a reference to, or have an electronic copy of these original S-Boxes? Nicolai. [Moderator's note: Google for information on the original cipher, called Lucifer. --Perry] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Linux-based wireless mesh suite adds crypto engine support
On Mon, 27 Sep 2004, Bill Stewart wrote: [[about the Via crypto sets]] The hard part is trust - Cryptography Research did a study last year about the quality of the random number generator, and found that you get about 0.75 bits of entropy per output bit, or 0.99 if you do Von Neumann whitening, so it's fine for feeding your crypto-based whitener. But their report indicates that they were mainly working from design documentation and testing actual equipment, so their tests doesn't show what the RNG does if you execute SET MSR UNDOCUMENTED_EVIL_WIRETAP_MODE first, much less what happens to the AES keying info or IVs. UNDOCUMENTED_EVIL_WIRETAP_MODE can be just about impossible to spot without full design oversight. Even for a 3DES chip, where supposedly you can use deterministic test vectors to verify things, the following scheme due to Henry Spencer embeds an almost-impossible-to-spot-in-practice backdoor: (N.b. the original URL is now dead, but google on the quoted phrase GOTCHA, YOU OPEN-SOURCE WEENIES -- NSA RULES! found two other archived copies) ## http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/09/msg00240.html _ [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet _ * To: Linux IPsec [EMAIL PROTECTED] * Subject: Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet * From: Henry Spencer [EMAIL PROTECTED] * From: [EMAIL PROTECTED] * Date: Thu, 16 Sep 1999 10:48:52 -0400 (EDT) * In-Reply-To: [EMAIL PROTECTED] * Reply-To: [EMAIL PROTECTED] * Sender: [EMAIL PROTECTED] _ William H Geiger writes: I don't know if you still follow the CP list but we have been having a long debate on the trustworthiness of Intel hardware, especially their RNG... At first I thought this was pretty much a non-issue here. The problem with the RNG is that it's so hard to decide whether its output is really random. But 3DES is a deterministic transform which can be tested against other implementations, so you can easily establish whether the chip is really doing 3DES or not. Alas, then I got to thinking. Suppose one built a 3DES accelerator chip so that, if and only if: (a) the chip is doing near-continuous encryptions at high speed, and (b) the keys are changing every packet or two, and (c) the chip detects -- via a simple mechanism like a little hash table -- a key which has appeared before, recently, and (d) this key has not been marked compromised in the hash table, and (e) an internal 16-bit packet counter is all-1s, then (!) mark the key compromised in the hash table, XOR the key with the string GOTCHA, YOU OPEN-SOURCE WEENIES -- NSA RULES!, prefix it with a random-looking constant bit pattern, and sprinkle the resulting bits into the encrypted data, in a haphazard but deterministic pattern. This is, of course, an encryption error. But rules (a)-(e) make it essentially irreproducible, so it won't happen a second time (and will be quite difficult to reproduce even in a test setup). Almost certainly it will get written off as a random error, and the affected packet will be re-processed correctly and re-sent, and all will be well. Except that an eavesdropper on the high-speed wire just looks for the constant bit pattern in the right places in a packet, and (almost) every time he sees it, he's nabbed an encryption key. There's no limit to the complexity that can be added -- especially if you're willing to consider active wiretapping, with the chip going into this mode only if it sees (say) an ICMP ping with the right data in it -- to defeat attempts to find this sort of thing on the test bench. I fear I agree with William; nothing short of peer review of the hardware design makes such a device trustworthy. Henry Spencer [EMAIL PROTECTED] ([EMAIL PROTECTED]) - This is the [EMAIL PROTECTED] mailing list. It is a restrict-Post filtered version of [EMAIL PROTECTED] _ Follow-Ups: * Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet * From: Richard Guy Briggs [EMAIL PROTECTED][EMAIL PROTECTED] References: * Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit
DIMACS Workshop on Mobile and Wireless Security
* DIMACS Workshop on Mobile and Wireless Security November 3 - 4, 2004 DIMACS Center, Rutgers University, Piscataway, NJ Organizers: Bill Arbaugh, University of Maryland, [EMAIL PROTECTED] Presented under the auspices of the Special Focus on Communication Security and Information Privacy. The rapid growth of both voice and data wireless communications has resulted in several serious security problems in both the voice and data spaces. Unfortunately, many of the early security mistakes made with wireless voice communications were repeated with data communications, i.e. the use of flawed authentication and confidentiality algorithms. For example, the standards committee for 802.11 left many of the difficult security issues such as key management and a robust authentication mechanism as open problems. This has led many organizations to use either a permanent fixed cryptographic variable or no encryption with their wireless networks. Since wireless networks provide an adversary a network access point that is beyond the physical security controls of the organization, security can be a problem. Similarly, attacks against WEP, the link-layer security protocol for 802.11 networks can exploit design failures to successfully attack such networks. This workshop will focus on addressing the many outstanding issues that remain in wireless cellular and WLAN networking such as (but not limited to): Management and monitoring; ad-hoc trust establishment; secure roaming between overlay networks; availability and denial of service mitigation; and network and link layer security protocols. We will seek to extend work on ad hoc networking from a non-adversarial setting, assuming a trusted environment, to a more realistic setting in which an adversary may attempt to disrupt communication. We will investigate a variety of approaches to securing ad hoc networks, in particular ways to take advantage of their inherent redundancy (multiple routes between nodes), replication, and new cryptographic schemes such as threshold cryptography. ** Call for Participation: Advances in wireless technology as well as several other areas are changing the way the world does business and as a result computing is becoming more mobile, and users are demanding continuous access to the Internet. At the same time, the number of devices with embedded networking technology is growing exponentially--from boxes with RFID tags to Wi-Fi capable refrigerators since they destroy the notion of a static defensive perimeter. Furthermore, these trends make the ease of use and management of wireless based networks more important since naive consumers in the future will be establishing and using wireless networks on a scale significantly larger than today. This workshop will focus on identifying the current and future problems in wireless security and privacy and discuss possible solutions. The three day workshop will be organized around a series of talks on subjects related to mobility, wireless, and security and privacy technologies. There will be a mix between invited talks and talks selected from extended abstracts with plenty of discussion time between talks. Workshop Program: Wednesday, November 3, 2004 9:00 - 10:00 Breakfast and Registration 10:00 - 10:15 Welcome and Overview of Program Fred Roberts, DIMACS Director 10:15 - 11:00 Wireless Authentication Overivew William Arbaugh 11:00 - 11:45 TBD DJ Johnston, Intel (tentatively confirmed) 11:45 - 12:30 Role of Authorization in Wireless Network Security Pasi Eronen, Nokia 12:30 - 2:00 Lunch 2:00 - 2:45 Network Access Control Schemes Vulnerable to Covert Channels Florent Bersani 2:45 - 3:30 TBD Jesse Walker, Intel 3:30 - 4:00 Break 4:00 - 5:00 Secure and Efficient Network Access Jari Arkko, Ericsson 5:00 Social Event Thursday, November 4, 2004 8:30 - 9:00 Breakfast and Registration 9:00 - 9:45 Extending the GSM/3G Key Infrastructure Scott Guthery 9:45 - 10:30 Wireless Security and Roaming Overview Nidal Aboudagga, UCL 10:30 - 11:00 Break 11:00 - 11:45 TBD James Kempf, DoCoMo USA Labs 11:45 - 12:30 TBD Nancy Cam-Winget, Cisco 12:30 - 2:00 Lunch 2:00 - 2:45 Securing Wireless Localization Zang Li, Rutgers 2:45 - 3:30 Discussion Period- how to move forward, hard problems? William Arbaugh 3:30 Closing ** Registration:
