Re: once more, with feeling.
At Sat, 20 Sep 2008 15:55:12 -0400, Steven M. Bellovin wrote: > > On Thu, 18 Sep 2008 17:18:00 +1200 > [EMAIL PROTECTED] (Peter Gutmann) wrote: > > > - Use TLS-PSK, which performs mutual auth of client and server > > without ever communicating the password. This vastly complicated > > phishing since the phisher has to prove advance knowledge of your > > credentials in order to obtain your credentials (there are a pile of > > nitpicks that people will come up with for this, I can send you a > > link to a longer writeup that addresses them if you insist, I just > > don't want to type in pages of stuff here). > > > Once upon a time, this would have been possible, I think. Today, > though, the problem is the user entering their key in a box that is (a) > not remotely forgeable by a web site that isn't using the browser's > TLS-PSK mechanism; and (b) will *always* be recognized by users, even > dumb ones. Today, sites want *pretty* login screens, with *friendly* > ways to recover your (or Palin's) password, and not just generic grey > boxes. Then imagine the phishing page that displays an artistic but > purely imaginary "login" screen, with a message about "NEW! Better > naviation on our login page!" This is precisely the issue. There are any number of cryptographic techniques that would allow clients and servers to authenticate to each other in a phishing resistant fashion, but they all depend on ensuring that the *client* has access to the password and that the attacker can't convince the user to type their password into some dialog that the attacker controls. That's the challenging technical issue, but it's UI, not cryptographic. -Ekr - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Lava lamp random number generator made useful?
> "IanG" == IanG <[EMAIL PROTECTED]> writes: IanG> Nope, sorry, didn't follow it. What is BOM, SoC, A plug, gerber? Bill Of Materials -- cost of the raw hardware System on (a) Chip -- microchip with CPU, RAM, FLASH, etc USB A Plug -- physical flat-four interface; think USB key drive gerber -- file format for hardware designs A system-on-a-chip which has rng and usb-client hardware on board (aka on chip) should fit in a package which looks just like a USB key drive. The software load could make it look like any USB device, including a USB storage device where every read produces blocks of entropy, as you suggested. A search for "site:linuxdevices.com SoC RNG USB" shows some useful SoCs, such as: http://www.linuxdevices.com/news/NS9265554097.html http://www.linuxdevices.com/news/NS6958318931.html http://www.linuxdevices.com/news/NS6020408561.html http://www.linuxdevices.com/news/NS4943322251.html http://www.linuxdevices.com/news/NS4469294424.html There seems to be significant interest in the industry for SoCs for Point of Sale smartcard readers which would also work for your proposed design. You did suggest an open hardware design As for using a camera, shots with a lens cover on and with the gain turned up (ie, tell people to set the camera to its highest ISO setting) should maximize the recorded entropy w/o using their candids, eh? -JimC -- James Cloos <[EMAIL PROTECTED]> OpenPGP: 1024D/ED7DAEA6 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Lava lamp random number generator made useful?
On Sat, Sep 20, 2008 at 3:09 PM, IanG <[EMAIL PROTECTED]> wrote: > Does anyone know of a cheap USB random number source? > > ... > > I've often thought that if we had an open source hardware design of > a USB random number generator ... that cost a few pennies to add > onto any other USB toy ... then ... Not USB, but ... There is an excellent Open Source design for a true random number generator using a sound card at: http://www.av8n.com/turbid/ Since many servers will have an unused sound card equivalent on the motherboard, and a cheapo sound card is an easy addition to others, this strikes me as a good solution. -- Sandy Harris, Quanzhou, Fujian, China - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Password Recovery Attack
One attack on services, which use personal questions as a backup form of user verification, works well for high-profile users of these systems. The attack is very simple. Go into the password recovery page, and use Google to look up the answers to the personal questions asked. There is enough Googleable data around for high-profile people, and perhaps not so high profile people, that the attack can be successful often enough to be useful. My sources say Sarah Palin's email account was breached using this attack. Cheers - Bill --- Bill Frantz|"We used to quip that "password" is the most common 408-356-8506 | password. Now it's 'password1.' Who said users haven't www.periwinkle.com | learned anything about security?" -- Bruce Schneier - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Lava lamp random number generator made useful?
> "IanG" == IanG <[EMAIL PROTECTED]> writes: IanG> I've often thought that if we had an open source hardware design IanG> of a USB random number generator It should be doable as just a RNG device for a BOM of a few tens of USD. There are at least of couple of SoCs on the market which advertise USB client hw and at least some onboard crypto. Put one of those in a key- sized container with just enough glue for an A plug and the hw is done. The software should be easy enough. Linux's gadget driver can claim to be pretty much anything -- serial, storage, ethernet. I presume the various BSD's can do so as well. So the software end should be easy. Are there any HW engineers here who can flesh out the above into a gerber file or similar? -JimC -- James Cloos <[EMAIL PROTECTED]> OpenPGP: 1024D/ED7DAEA6 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: once more, with feeling.
On Thu, 18 Sep 2008 17:18:00 +1200 [EMAIL PROTECTED] (Peter Gutmann) wrote: > - Use TLS-PSK, which performs mutual auth of client and server > without ever communicating the password. This vastly complicated > phishing since the phisher has to prove advance knowledge of your > credentials in order to obtain your credentials (there are a pile of > nitpicks that people will come up with for this, I can send you a > link to a longer writeup that addresses them if you insist, I just > don't want to type in pages of stuff here). > Once upon a time, this would have been possible, I think. Today, though, the problem is the user entering their key in a box that is (a) not remotely forgeable by a web site that isn't using the browser's TLS-PSK mechanism; and (b) will *always* be recognized by users, even dumb ones. Today, sites want *pretty* login screens, with *friendly* ways to recover your (or Palin's) password, and not just generic grey boxes. Then imagine the phishing page that displays an artistic but purely imaginary "login" screen, with a message about "NEW! Better naviation on our login page!" If this had been done in the beginning, before users -- and web site designers, and browser vendors -- were mistrained, it might have worked. Now, though? I'm skeptical. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Lava lamp random number generator made useful?
Does anyone know of a cheap USB random number source? As a meandering comment, it would be extremely good for us if we had cheap pocket random number sources of arguable quality [1]. I've often thought that if we had an open source hardware design of a USB random number generator ... that cost a few pennies to add onto any other USB toy ... then we could ask the manufacturers to throw it in for laughs. Something like a small mountable disk that returns randoms on every block read, so the interface is trivial. Then, when it comes time to generate those special keys, we could simply plug it in, run it, clean up the output in software and use it. Hey presto, all those nasty software and theoretical difficulties evaporate. A TPM has random numbers of arguable quality. I'm happy to argue either side of it, but that's not what you asked. A cheap USB camera would make a good source. The cheaper the better, too. Pull a frame off, hash it, and it's got entropy, even against a white background. No lava lamp needed. Jon - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Lava lamp random number generator made useful?
On 09/20/2008 12:09 AM, IanG wrote: > Does anyone know of a cheap USB random number source? Is $7.59 cheap enough? http://www.geeks.com/details.asp?invtid=HE-280B&cat=GDT For that you get a USB audio adapter with mike jack, and then you can run turbid(tm) to produce high-quality randomness. Reference, including analytical paper plus code: http://www.av8n.com/turbid/ > As a meandering comment, it would be extremely good for us if we had > cheap pocket random number sources of arguable quality [1]. If the above is not good enough, please explain. > I've often thought that if we had an open source hardware design of > a USB random number generator ... that cost a few pennies to add > onto any other USB toy ... then we could ask the manufacturers to > throw it in for laughs. Something like a small mountable disk that > returns randoms on every block read, so the interface is trivial. I think the turbid solution is much better than a disk. -- Unlimited long-term capacity. -- Perfect forward secrecy, unlike a disk, unless you do a really good job of erasing each block after use. -- Perfect secrecy in the other direction, period. > Then, when it comes time to generate those special keys, we could > simply plug it in, run it, clean up the output in software and use > it. Hey presto, all those nasty software and theoretical > difficulties evaporate. If the above is not good enough, please explain. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]