Re: X.509 / PKI, PGP, and IBE Secure Email Technologies
On Thu, Dec 08, 2005 at 05:10:20PM -0800, Ed Gerck wrote: PGP is public-key email without PKI. This is true for use in geodesic networks, but not true for inter-organization email, one ends up introducing gateway systems, that create an ad-hoc PKI of gateways that have exchanged keys and users that have authenticated to the gateways when one of the sides has no such gateway. Key management does not go away. So is IBE. I disagree here, with IBE there still needs a way to securely obtain the site public key for each site. Granted, you don't need a per-user key, but this does not make the problem of key management go away. My *personal* view is that patent encumbered technologies don't have a major role to play in anything quite as ubiquitous as email. -- /\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: X.509 / PKI, PGP, and IBE Secure Email Technologies
Ed Gerck wrote: I believe that's what I wrote above. This rather old point (known to the X.509 authors, as one can read in their documents) is why X.509 simplifies what it provides to the least possible _to_automate_ and puts all the local and human-based security decisions in the CPS. (The fact that the CPS is declared to be out of scope of X.509 is both a solution and a BIG problem as I mentioned previously.) i like the explanation that some attempted to give at the acm sigmod conference in san jose (circa 1992) of what was going on in the x.5xx standards activities; ... a bunch of network engineers trying to re-invent 1960s database technology ... the x.509 digital certificates being a stale, static cachable entry of something in x.500 ldap database ... that was armored for survival in potentially hostile environment and for relying parties that didn't have ability to access the real database entry. cps was something that was needed for trusted third party certification authority operation ... not for x.509 identity certificate itself. the issue is when you effectively have these stale, static cacheable, armored database entries that aren't part of an organization and business processes that relying parties belong to. traditional access to database entries (whether you are directly accessing the entry or a stale, static cached copy of the database entry) ... the business processes accessing the data and the businesses responsible for the data are part of the same operation and/or belong to organizations that have binding contractual relationships. it is only when you have parties responsible for the information (trusted third party certification authorities) that are 1) totally different from the parties relying on the information and/or 2) the different parties have no contractual relationships. one could hypothesize that the creation of CPS were to provide some sort of substitute for contractual relationship between different organizations/parties where the relying party has no means of directly accessing the information and must rely on a stale, static digital certificate representation (of that information), provided by an organization that the relying party has no contractual relationship (just claiming to be a trusted third party certification authority possibly wasn't enough of a sense of security for some relying parties and so CPS were invented to provide relying parties a higher sense of comfort in lieu of having something like an actual contractual relationship). that makes CPSs a substitute for contractual relationships when x.509 digital certificates are used for trusted third party certification authorities where the relying parties and the TTP/CAs are different organizations. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: X.509 / PKI, PGP, and IBE Secure Email Technologies
Ed Gerck wrote: PGP is public-key email without PKI. So is IBE. And yet neither of them has all the identical, same basic components that PKI also needs. Now, when you look at the paper on email security at http://email-security.net/papers/pki-pgp-ibe.htm you see that the issue of what components PKI needs (or not) is not relevant to the analysis. usually when you are doing baseline ... you start with the simplest, evaluate that and then incrementally add complexity. in that sense PGP is much closer to the simplest baseline ... and PKI becomes added complexity ... inverting you classification; email PKI is PGP with digital certificates added. you then could add various layers of public key operation where the relying parties have direct access to the information in one way or another and therefor don't require stale, static, armored cached copies (digital certificate) of the real information. then you can go thru numerous layers of PKI ... are the relying parties and the digital certificate creators part of the same business organizations ... and therefor require neither contractual relationship and/or CPS as a substitute for contractual relationship. then add trusted third party certification authority PKI ... where the relying parties and the certification authorities have direction contractual relationship and thefore don't require CPS as a substitute for contractual relationship. it is when you get to trusted third party certification authority PKI ... where the relying parties and the ttp/ca are part of totally different business operations and have no contractual relationship that you then get into the issue of how does a relying party actually know than it should be trusting a ttp/ca. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: X.509 / PKI, PGP, and IBE Secure Email Technologies
James A. Donald wrote: However, the main point of attack is phishing, when an outsider attempts to interpose himself, the man in the middle, into an existing relationship between two people that know and trust each other. in the public key model ... whether it involves pgp, pki, digital certificates, what-ever; the local user (relying party) has to have a local trusted repository for public keys. in the pki model, this tends to be restricted to public keys of certification authorities ... so that the relying party can verify the digital signature on these message/document constructs called digital certificates. in the traditional, ongoing relationship scenario, relying parties directly record authentication information of the parties they are dealing with. if a relying party were to directly record the public key of the people they are communicating with ... it is the trusting of that public key and the validating of associated public key operations that provide for the countermeasure for man-in-the-middle attacks and phishing attacks. the issue that has been repeatedly discussed is that supposedly the existing SSL domain name digital certificates was to prevent impresonation and mitm-attacks. however, because of various infrastructure shortcomings ... an attacker can still operate with perfectly valid SSL domain name digital certificates ... and it doesn't stop the MITM-attack and/or phishing. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: X.509 / PKI, PGP, and IBE Secure Email Technologies
Anne Lynn Wheeler wrote: usually when you are doing baseline ... you start with the simplest, evaluate that and then incrementally add complexity. I think that's where PKI got it wrong in several parts and not just the CPS. It started with the simplest (because it was meant to work for a global RA -- remember X.500?) and then complexity was added. Today, in the most recent PKIX dialogues, even RFC authors often disagree on what is meant in the RFCs. Not to mention the readers. As another example, at least one IBE offer does not talk about key lifetime at all -- in fact, the documentation online talks about using the same key for _all_ future communications. When this, of course, fails and key expiration is introduced, it will be over an existing baseline... a patch. Key revocation will be even harder to introduce in IBE. As new capabilities conflict with the old, the end result of this approach seems to ne a lot of patched in complexity and vulnerabilities. It seems better to start with a performance specification for the full system. The code can follow the specs as close as possible for each version, the specs can change too, but at least the grand picture should exist beforehand. This is what this thread's subject paper is about, the grand picture for secure email and why aren't we there yet (Phil's PGP is almost 15 years old) -- what's missing. BTW, there's a new version out for the X.509 / PKI, PGP, and IBE Secure Email Technologies paper and Blog comments in the site as well, at http://email-security.net Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: X.509 / PKI, PGP, and IBE Secure Email Technologies
At 09:40 AM 12/8/2005, Aram Perez wrote: On Dec 7, 2005, at 10:24 PM, James A. Donald wrote: Software is cheaper than boats - the poorest man can afford the strongest encryption, but he cannot afford the strongest boat. If it is that cheap, then why are we having this discussion? Why isn't there a cheap security solution that even my mother can use? Usability is a hard problem, and security is a really broad field. PGP, for instance, did a pretty good job of security a decade ago, given Phil's threat models, (ignoring a few algorithm problems that were mostly related to trying to skimp on bits and the subsequent weaknesses in MD5), but the usability was pretty rough back then, and version compatibility has gotten enough worse that Hugh Daniel and I can no longer reliably communicate with PGP. But even if we both drop back to GPG on text files, and use remailers run by friends on Tor nodes run by random strangers, KGB-proof security would require protection against black-bag jobs on Hugh's keyboards and duping employees at my company's IT department into weakening my Windows XP configuration. (For cost-effectiveness and avoidance of detection, I'd recommend the latter strategy, probably by selling them some new nifty administration tool or Instant Messaging client :-) The real security issue for your mother is threat models. If your mom isn't using a Mac or administering her own Linux box, then her biggest security threat is that she's computing on a box made of Swiss cheese (though XP does seem to be noticeably better than Win95/98/ME) and probably using a browser that's happy to accept random software installed by spammers and phishers, and if she's not using webmail, she's probably running a mail client that happily displays clickable links to phishing sites purporting to be eBay or her bank. And that's mostly independent of whether she can trustably send email to other members of the Ladies' Sewing Circle and Terrorist Society without the Feds reading it, which is the kind of problem PGP was trying to solve, because her bank and eBay don't cryptographically sign their mail. Popularity of a product is critical to its security; you don't gain anonymity if the Feds can recognize that you're one of the dozen users of a given application. Your mom can use Skype, but nobody she knows uses Crypto Kong, and I only know a few people who use PGP to email their mom. But some of the Instant Messaging systems use crypto; too bad that they're continually trying to be incompatible with each other to gain market share. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
secure links using classical (i.e., non-quantum) physics
http://arxiv.org/abs/physics/0509136 Totally Secure Classical Communication Utilizing Johnson (-like) Noise and Kirchoff's Law Authors: Laszlo B. Kish Comments: 14 pages; Google search terms: +totally +secure +communication Subj-class: General Physics Journal-ref: Manuscript featured by Science, vol. 309, p. 2148 (2005, September 30) An absolutely secure, fast, inexpensive, robust, maintenance-free and low-power- consumption communication is proposed. The states of the information bit are represented by two resistance values. The sender and the receiver have such resistors available and they randomly select and connect one of them to the channel at the beginning of each clock period. The thermal noise voltage and current can be observed but Kirchoff's law provides only a second-order equation. A secure bit is communicated when the actual resistance values at the sender's side and the receiver's side differ. Then the second order equation yields the two resistance values but the eavesdropper is unable to determine the actual locations of the resistors and to find out the state of the sender's bit. The receiver knows that the sender has the inverse of his bit, similarly to quantum entanglement. The eavesdropper can decode the message if, for each bits, she inject current in the wire and measures the voltage change and the current changes in the two directions. However, in this way she gets discovered by the very first bit she decodes. Instead of thermal noise, proper external noise generators should be used when the communication is not aimed to be stealth. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Engineer Outwits Fingerprint Recognition Devices with Play-Doh
Same story, different malleable substance... Cheers, RAH --- --- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Sat, 10 Dec 2005 11:08:14 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Engineer Outwits Fingerprint Recognition Devices with Play-Doh Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.linuxelectrons.com/article.php/20051209175034721 Web LinuxElectrons Engineer Outwits Fingerprint Recognition Devices with Play-Doh Friday, December 09 2005 @ 05:50 PM CST Contributed by: ByteEnable Potsdam, New York - Eyeballs, a severed hand, or fingers carried in ziplock bags. Back alley eye replacement surgery. These are scenarios used in recent blockbuster movies like Steven Spielberg's Minority Report and Tomorrow Never Dies to illustrate how unsavory characters in high-tech worlds beat sophisticated security and identification systems. Sound fantastic? Maybe not. Biometrics is the science of using biological properties, such as fingerprints, an iris scan, or voice recognition, to identify individuals. And in a world of growing terrorism concerns and increasing security measures, the field of biometrics is rapidly expanding. Biometric systems automatically measure the unique physiological or behavioral 'signature' of an individual, from which a decision can be made to either authenticate or determine that individual's identity, explained Stephanie C. Schuckers, an associate professor of electrical and computer engineering at Clarkson University. Today, biometric systems are popping up everywhere - in places like hospitals, banks, even college residence halls - to authorize or deny access to medical files, financial accounts, or restricted or private areas. And as with any identification or security system, Schuckers adds, biometric devices are prone to 'spoofing' or attacks designed to defeat them. Spoofing is the process by which individuals overcome a system through an introduction of a fake sample. Digits from cadavers and fake fingers molded from plastic, or even something as simple as Play-Doh or gelatin, can potentially be misread as authentic, she explains. My research addresses these deficiencies and investigates ways to design effective safeguards and vulnerability countermeasures. The goal is to make the authentication process as accurate and reliable as possible. Schuckers' biometric research is funded by the National Science Foundation (NSF), the Office of Homeland Security and the Department of Defense. She is currently assessing spoofing vulnerability in fingerprint scanners and designing methods to correct for these as part of a $3.1 million interdisciplinary research project funded through the NSF. The project, ITR: Biometrics: Performance, Security and Societal Impact, investigates the technical, legal and privacy issues raised from broader applications of biometric system technology in airport security, computer access, or immigration. It is a joint initiative among researchers from Clarkson, West Virginia University, Michigan State University, St. Lawrence University, and the University of Pittsburgh. Fingerprint scanning devices often use basic technology, such as an optical camera that take pictures of fingerprints which are then read by a computer. In order to assess how vulnerable the scanners are to spoofing, Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They also assembled a collection of cadaver fingers. Clarkson University Associate Professor of Electrical and Computer Engineering Stephanie C. Schuckers, with imitation fingers. Simple casts made from a mold and material such as Play-doh, clay or gelatin can be used to fool most fingerprint recognition devices. Schuckers, an expert in biometrics, the science of using biological properties, such as fingerprints or voice recognition, to identify individuals, is a partner in a $3.1 million interdisciplinary biometrics research project funded by the National Science Foundation with support from the Department of Homeland Security. In the laboratory, the researchers then systematically tested more than 60 of the faked samples. The results were a 90 percent false verification rate. The machines could not distinguish between a live sample and a fake one, Schuckers explained. Since liveness detection is based on the recognition of physiological activities as signs of life, we hypothesized that fingerprint images from live fingers would show a specific changing moisture pattern due to perspiration but cadaver and spoof fingerprint images would not. In live fingers, perspiration starts around the pore, and spreads along the ridges, creating a distinct signature of the process. Schuckers and her research team designed a computer algorithm that would detect this pattern when
