Re: [EMAIL PROTECTED]: Skype security evaluation]
On 10/23/05, Travis H. [EMAIL PROTECTED] wrote:
My understanding of the peer-to-peer key agreement protocol (hereafter
p2pka) is based on section 3.3 and 3.4.2 and is something like this:
A - B: N_ab
B - A: N_ba
B - A: Sign{f(N_ab)}_a
A - B: Sign{f(N_ba)}_b
A - B: Sign{A, K_a}_SKYPE
B - A: Sign{B, K_b}_SKYPE
A - B: Sign{R_a}_a
B - A: Sign{R_b}_b
Session key SK_AB = g(R_a, R_b)
But what you have shown here has no encryption, hence no secrecy.
Surely RSA encryption must be used somewhere along the line. The
report doesn't say anything about the details of how that is done. In
particular, although it mentions RSA signature padding it says nothing
about RSA encryption padding.
Is it possible that Skype doesn't use RSA encryption? Or if they do,
do they do it without using any padding, and is that safe?
CP
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
On 10/22/05, Ian G [EMAIL PROTECTED] wrote: R. Hirschfeld wrote: This is not strictly correct. The payer can reveal the blinding factor, making the payment traceable. I believe Chaum deliberately chose for one-way untraceability (untraceable by the payee but not by the payer) in order to address concerns such as blackmailing, extortion, etc. The protocol can be modified to make it fully untraceable, but that's not how it is designed. Huh - first I've heard of that, would be encouraging if that worked. How does it handle an intermediary fall guy? Say Bad Guy Bob extorts Alice, and organises the payoff to Freddy Fall Guy. This would mean that Alice can strip her blinding factors and reveal that she paid to Freddy, but as Freddy is not to be found, he can't be encouraged to reveal his blinding factors so as to reveal that Bob bolted with the dosh. Right, that is one of the kinds of modifications that Ray referred to. If the mint allows (de-facto) anonymous exchanges then a blackmailer can simply do an exchange of his ecash before spending it and he will be home free. Another mod is for the blackmailer to supply the proto-coin to be signed, in blinded form. One property of Daniel Nagy's epoint system is that it creates chains where each token that gets created is linked to the one it came from. This could be sold as an anti-abuse feature, that blackmailers and extortionists would have a harder time avoiding being caught. In general it is an anti-laundering feature since you can't wash your money clean, it always links back to when it was dirty. U.S. law generally requires that stolen goods be returned to the original owner without compensation to the current holder, even if they had been purchased legitimately (from the thief or his agent) by an innocent third party. Likewise a payment system with traceable money might find itself subject to legal orders to reverse subsequent transactions, confiscate value held by third parties and return the ill-gotten gains to the victim of theft or fraud. Depending on the full operational details of the system, Daniel Nagy's epoints might be vulnerable to such legal actions. Note that e-gold, which originally sold non-reversibility as a key benefit of the system, found that this feature attracted Ponzi schemes and fraudsters of all stripes, and eventually it was forced to reverse transactions and freeze accounts. It's not clear that any payment system which keeps information around to allow for potential reversibility can avoid eventually succumbing to pressure to reverse transactions. Only a Chaumian type system, whose technology makes reversibility fundamentally impossible, is guaranteed to allow for final clearing. And even then, it might just be that the operators themselves will be targeted for liability since they have engineered a system that makes it impossible to go after the fruits of criminal actions. CP - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
On 10/24/05, Steve Schear [EMAIL PROTECTED] wrote: I don't think E-gold ever held out its system as non-reversible with proper court order. All reverses I am aware happened either due to some technical problem with their system or an order from a court of competence in the matter at hand. Back in the days of such companies as emutualfun.com and stockgeneration.com there were cases where e-gold froze accounts without waiting for court orders. I was involved with the discussion on the e-gold mailing lists back then and it caused considerable hard feeling among the users. E-gold was struggling to deal with the onslaught of criminal activity (Ian Grigg described the prevailing mood as one of 'angst') and they were thrown into a reactive mode. Eventually I think they got their house in order and established policies that were more reasonable. Its not clear at all that courts will find engineering a system for irreversibility is illegal or contributory if there was good justification for legal business purposes, which of course there are. Yes, but unfortunately it is not clear at all that courts would find the opposite, either. If a lawsuit names the currency issuer as a defendant, which it almost certainly would, a judge might order the issuer's finances frozen or impose other measures which would impair its business survival while trying to sort out who is at fault. It would take someone with real cojones to go forward with a business venture of this type in such uncharted waters. CP - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
On 10/24/05, John Kelsey [EMAIL PROTECTED] wrote: More to the point, an irreversible payment system raises big practical problems in a world full of very hard-to-secure PCs running the relevant software. One exploitable software bug, properly used, can steal an enormous amount of money in an irreversible way. And if your goal is to sow chaos, you don't even need to put most of the stolen money in your own account--just randomly move it around in irreversible, untraceable ways, making sure that your accounts are among the ones that benefit from the random generosity of the attack. To clarify one point, it is not necessary to have accounts in an ecash system. Probably the simpler approach is for a mint that has three basic functions: selling ecash for real money; exchanging ecash for new ecash of equal value; and buying ecash for real money. All ecash exchanges with the mint can be anonymous, and only when ecash is exchanged for real money does that side of the transaction require a bank account number or similar identifying information. In such a system, the ecash resides not in accounts, but in digital wallets which are held in files on end users' computers. The basic attack scenario then is some kind of virus which hunts for such files and sends the ecash to the perpetrator. If the ecash wallet is protected, by a password or perhaps a token which must be inserted, the virus can lie in wait and grab the ecash once the user opens the wallet manually. There are several kinds of malicious activities that are possible, from simply deleting the cash to broadcasting it in encrypted form such as by IRC. Perhaps it could even engage in the quixotic action of redistributing some of the cash among the users, but my guess is that pecuniary motivations would dominate and most viruses will simply do their best to steal ecash. Without accounts per se, and using a broadcast channel, there is little danger in receiving or spending the stolen money. Digital wallets will require real security in user PCs. Still I don't see why we don't already have this problem with online banking and similar financial services. Couldn't a virus today steal people's passwords and command their banks to transfer funds, just as easily as the fraud described above? To the extent that this is not happening, the threat against ecash may not happen either. The payment system operators will surely be sued for this, because they're the only ones who will be reachable. They will go broke, and the users will be out their money, and nobody will be silly enough to make their mistake again. They might be sued but they won't necessarily go broke. It depends on how deep the pockets are suing them compared to their own, and most especially it depends on whether they win or lose the lawsuit. As Steve Schear noted, there is a reasonable argument that a payment system issuer should not be held liable for the misdeeds of its customers. Jurisdictional issues may be important as well. Clearly anyone proposing to enter this business will have to accept the risk and cost of defending against such lawsuits as part of the business plan. CP - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[PracticalSecurity] Anonymity - great technology but hardly used
--- begin forwarded text Date: Mon, 24 Oct 2005 23:31:34 +0200 To: [EMAIL PROTECTED] From: Hagai Bar-El [EMAIL PROTECTED] Subject: [PracticalSecurity] Anonymity - great technology but hardly used Sender: [EMAIL PROTECTED] Hello, I wrote a short essay about anonymity and pseudonymity being technologies that are well advanced but seldom used. Following are excerpts from the essay that can be found at: http://www.hbarel.com/Blog/entry0006.html In spite of our having the ability to establish anonymous surfing, have untraceable digital cash tokens, and carry out anonymous payments, we don't really use these abilities, at large. If you are not in the security business you are not even likely to be aware of these technical abilities. If I may take a shot at guessing the reason for the gap between what we know how to do and what we do, I would say it's due to the overall lack of interest of the stakeholders. Fact probably is, most people don't care that much about anonymity, and most of the ones who do, are not security geeks who appreciate the technology and thus trust it. So, we use what does not require mass adoption and do not use what does. Anonymous browsing is easy, because it does not need an expensive infrastructure that requires a viable business model behind it; fortunately. A few anonymity supporters run TOR servers on their already-existent machines, anonymity-aware users run TOR clients and proxy their browsers through them, and the anonymity need is met. The onion routing technology that TOR is based on is used; not too often, but is used. The problem starts with systems that require a complex infrastructure to run, such as anonymous payment systems. As much as some of us don't like to admit it, most consumers do not care about the credit card company compiling a profile of their money spending habits. Furthermore, of the ones who do, most are not security engineers and thus have no reason to trust anonymity schemes they don't see or feel intuitively (as one feels when paying with cash). The anonymous payment systems are left to be used primarily by the security-savvy guys who care; they do not form a mass market. I believe that for anonymity and pseudonymity technologies to survive they have to be applied to applications that require them by design, rather than to mass-market applications that can also do (cheaper) without. If anonymity mechanisms are deployed just to fulfill the wish of particular users then it may fail, because most users don't have that wish strong enough to pay for fulfilling it. An example for such an application (that requires anonymity by design) could be E-Voting, which, unfortunately, suffers from other difficulties. I am sure there are others, though. Regards, Hagai. ___ PracticalSecurity mailing list [EMAIL PROTECTED] http://hbarel.com/mailman/listinfo/practicalsecurity_hbarel.com --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
semi-preditcable OTPs
I recall reading somewhere that the NSA got ahold of some KGB numeric OTPs (in the standard five-digit groups). They found that they contained corrections, typos, and showed definite non-random characteristics. Specifically, they had a definite left-hand right-hand alternation, and tended to not have enough repeated digits, as though typists had been told to type random numbers. Despite this, the NSA wasn't able to crack any messages. My question is, why? I think I know the reason, and that is that any predictability in a symbol of the OTP correlated to a predictability in only one plaintext symbol. In other words, there was no leverage whereby that plaintext could then be used to derive other symbols. Can anyone explain this better (or more accurately)? Is this lack of diffusion? Or does it have something to do with the unicity distance? -- http://www.lightconsulting.com/~travis/ -- We already have enough fast, insecure systems. -- Schneier Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Announcing OpenPGP:SDK
At EuroOSCon, Rachel Willmer and I announced OpenPGP:SDK, a BSD-licensed C library implementing the OpenPGP standard. The SDK is sponsored by Nominet. Although we are still very much in beta, feedback will be appreciated. Permalink: http://www.links.org/?p=20 Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
From: cyphrpunk [EMAIL PROTECTED] Sent: Oct 24, 2005 5:58 PM To: John Kelsey [EMAIL PROTECTED] Subject: Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems ... Digital wallets will require real security in user PCs. Still I don't see why we don't already have this problem with online banking and similar financial services. Couldn't a virus today steal people's passwords and command their banks to transfer funds, just as easily as the fraud described above? To the extent that this is not happening, the threat against ecash may not happen either. Well, one difference is that those transactions can often be undone, if imperfectly at times. The whole set of transactions is logged in many different places, and if there's an attack, there's some reasonable hope of getting the money back. And that said, there have been reports of spyware stealing passwords for online banking systems, and of course, there are tons of phishing and pharming schemes to get the account passwords in a more straightforward way. The point is, if you're ripped off in this way, there's a reasonable chance you can get your money back, because the bank has a complete record of the transactions that were done. There's no chance of this happening when there's no record of the transaction anywhere. The payment system operators will surely be sued for this, because they're the only ones who will be reachable. They will go broke, and the users will be out their money, and nobody will be silly enough to make their mistake again. They might be sued but they won't necessarily go broke. It depends on how deep the pockets are suing them compared to their own, and most especially it depends on whether they win or lose the lawsuit. I don't think so. Suppose there's a widespread attack that steals money from tens of thousands of users of this payment technology. There seem to be two choices: a. The payment system somehow makes good on their losses. b. Everyone who isn't dead or insane pulls every dime left in that system out, knowing that they could be next. It's not even clear that these are mutually exclusive, but if (a) doesn't happen, (b) surely will. Nobody wants their money stolen, and I don't think many people are so confident of their computer security that they're willing to bet huge amounts of money on it. If you have to be that confident in your computer security to use the payment system, it's not going to have many clients. CP --John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Disney 'Screener' DVDs to Use Dolby Encryption Technology
And *where* do we put the CCD? -- Number one answer in a Top Ten quiz at the FC2K rump-session to a description of a certain Mickey Mouse projector protocol... Cheers, RAH - --- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Tue, 25 Oct 2005 10:06:40 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Disney 'Screener' DVDs to Use Dolby Encryption Technology Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://online.wsj.com/article_print/SB113014664939177401.html?mod=djemMM The Wall Street Journal October 24, 2005 9:39 a.m. EDT Disney 'Screener' DVDs to Use Dolby Encryption Technology By WILL DALEY DOW JONES NEWSWIRES October 24, 2005 9:39 a.m. BURBANK, Calif. -- Walt Disney Co. said it will use encryption technology from Dolby Laboratories Inc. in the 2005 screener DVDs it provides to people who vote on movie awards. Disney will use technology from Dolby unit Cinea, which provides copy protection and piracy tracking for DVDs. This process offers maximum protection for our films, while allowing key members of the Academy, BAFTA [British Academy of Film and Television Arts], and a few other select organizations the opportunity to view these contenders in the comfort of their own homes, Walt Disney Studios Chairman Dick Cook said in a statement early Monday. Last year, authorities charged a Chicago-area man on allegations he copied movies from videocassettes he received from a member of the Academy of Motion Picture Arts and Sciences who had received screener tapes. Cinea's method includes the S-View DVD player and encryption technology. The DVD player also plays standard DVDs. In collaboration with the Academy of Motion Picture Arts and Sciences and the Bafta, its British counterpart, Cinea has distributed the DVD players to nearly 12,000 of the collective voting members, according to the press release. Cinea encrypts each disc with a code unique to each member, and the disc delivered to each member will play only on the Cinea DVD player registered by that member. A Cinea encrypted disc cannot be viewed on any other DVD player or computer. Disney said it is exploring the possibility of incorporating Cinea's security technology into its entire post-production process. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-l ike Payment Systems
| U.S. law generally requires that stolen goods be returned to the | original owner without compensation to the current holder, even if | they had been purchased legitimately (from the thief or his agent) by | an innocent third party. This is incorrect. The law draws a distinction between recognized sellers of the good in question, and other sellers. If you buy a washer from a guy who comes up to you and offers you a great deal on something from the back of his truck, and it turns out to be stolen, you lose. If you go to an appliance store and buy a washer that turned out to be stolen, it's yours. Buy a gold ring from the salesman at the same store, and you better hope he didn't steal it. As in any real-world situation, there are fuzzy areas at the edges; and there are exceptions. (Some more expensive objects transfer by title - mainly houses and cars. You don't get any claim on the object unless you have a state-issued title.) But the general intent is clear and reasonable. | Likewise a payment system with traceable | money might find itself subject to legal orders to reverse subsequent | transactions, confiscate value held by third parties and return the | ill-gotten gains to the victim of theft or fraud. Depending on the | full operational details of the system, Daniel Nagy's epoints might be | vulnerable to such legal actions. This is no different from the case with cash today. If there is a way to prove - in the legal sense, not some abstract mathematical sense - that a transfer took place, the legal system may reverse it. This comes up in contexts like improper transfers of assets before a bankruptcy declaration, or when people try to hide money during a divorce. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: semi-preditcable OTPs
- Original Message - From: Travis H. [EMAIL PROTECTED] Subject: semi-preditcable OTPs Despite [flawed OTPs], the NSA wasn't able to crack any messages. My question is, why? I think I know the reason, and that is that any predictability in a symbol of the OTP correlated to a predictability in only one plaintext symbol. In other words, there was no leverage whereby that plaintext could then be used to derive other symbols. Can anyone explain this better (or more accurately)? Is this lack of diffusion? Or does it have something to do with the unicity distance? You've pretty much got it. In order for a OTP to work you simply need what I commonly refer to as an overflow of entropy. The source of this entropy doesn't matter and it can be from the plaintext as much as it can be from the key. This extends the unicity distance (as you noted) and can render it impossible to decrypt. Joe - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: semi-preditcable OTPs
In message [EMAIL PROTECTED], Trav is H. writes: I recall reading somewhere that the NSA got ahold of some KGB numeric OTPs (in the standard five-digit groups). They found that they contained corrections, typos, and showed definite non-random characteristics. Specifically, they had a definite left-hand right-hand alternation, and tended to not have enough repeated digits, as though typists had been told to type random numbers. Despite this, the NSA wasn't able to crack any messages. My question is, why? I think I know the reason, and that is that any predictability in a symbol of the OTP correlated to a predictability in only one plaintext symbol. In other words, there was no leverage whereby that plaintext could then be used to derive other symbols. Can anyone explain this better (or more accurately)? Is this lack of diffusion? Or does it have something to do with the unicity distance? Another possible answer is that it didn't matter because of how it was used. If you read the NSA monograph on Venona -- I posted a link a few weeks ago -- you'll see that the OTP in that case was used to superencipher a codebook, by adding the 5-digit OTP number to the 5-digit code value. Non-random digits in such a setting are more or less irrelevant, unless there is enough of a pattern that it helps you strip off the superencipherment. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
