TLS/SSL Survey (Ristic/Qualsys) (was: Re: A mighty fortress is our PKI)
Internet SSL Survey 2010 is here! (blog post) http://blog.ivanristic.com/2010/07/internet-ssl-survey-2010-is-here.html Actual report: Qualys Internet SSL Survey 2010 v1.6 (PDF, 3.2 MB) http://blog.ivanristic.com/Qualys_SSL_Labs-State_of_SSL_2010-v1.6.pdf =JeffH - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: GSM eavesdropping
On Aug 2, 2010, at 4:19 PM, Paul Wouters wrote: ...Of course, TLS hasn't been successful in the sense that we care about most. TLS has had no impact on how users authenticate (we still send usernames and passwords) to servers, and the way TLS authenticates servers to users turns out to be very weak (because of the plethora of CAs, and because transitive trust isn't all that strong). Let's first focus on foiling the grand scale of things by protecting against passive attacks of large scale monitoring. Then let's worry about protecting against active targetted attacks It's worth pointing out that you're here making a value judgement - and, in effect, a political argument. Large scale monitoring is mainly, if not entirely, something governments do. It's unlikely to be cost-effective for the commercial attackers we see today. Active, targeted attacks, on the other hand, seem to be the purview of many sophisticated attackers today - both governmental and non-governmental. Cryptographic theory can help you decide which of these classes of attackers you should be more concerned about. BTW, economics is everywhere. Suppose you had a cryptographic technique that was quick and easy to apply, but also cheap to break - say, $1 per message. Pretty useless, right? But now imagine that every message is encrypted using this poor technique. No individual message, once known through external signals to have value greater than $1, is safe - but the aggregate of billions of messages being transfered every day is safe against any plausible attacker. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Is this the first ever practically-deployed use of a threshold scheme?
There is more than the UI at stake here, i.e. the basic functionality of the scheme. Say you distribute shares in a 4 out of 7 scheme (ABCDEF) and share A is published on the web. How do you recover from the remaining 3 out of 6 scheme into a 4 out of 6 scheme without having a key ceremony? In an ad-hoc multi-party scheme, you request 4 of the remaining compliant parties to destroy key material allowing them to participate in a group with the traitor A, but no other key material. No system UI, but admittedly a coordination nightmare! If the system is built to allow resharing then this is no problem. Resharing from a t-out-of-n scheme to an r-out-of-m scheme works as follows: If the secret s is shared using the (otherwise random) polynomial f of degree t then a share consists of (i,f(i)). To reshare, at least t or the original shareholders issue shares of f(i) in an r-out-of-m manner, i.e. take a polynomial gi of degree r and compute m shares (i,j,gi(j)). When these are distributed to the new users, the new users should end up with matching j's. The old shares (i,f(i)) are deleted. Each of the m new users now has t shares (i1,j,gi1(j)), (i2,j,gi2(j)), ... ,(it,j,git(j)). This information can be combined into a single share (j,G(j)) of s by using the Lagrange coefficients of the first scheme. All of this can be decorated with zero knowledge proofs to prove correctness of the shares etc. Note that there is no interaction of the t shareholders and everthing can be done remotely. In the scenario that one share A is published it's enough to have t-1 users help in the resharing since every new user can use the public information. On the other hand that's a mess to program, so it's more resonable to ask t of the remaining shareholders to help. Doesn't sound like a coordination nightmare to me. For all this in a more general setting see e.g. Redistributing Secret Shares to New Access Structures and Its Applications by Yvo Desmedt and Sushil Jajodia (1997) http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.45.3353 Does this answer the question? Tanja - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Is this the first ever practically-deployed use of a threshold scheme?
Tanja Lange wrote: There is more than the UI at stake here, i.e. the basic functionality of the scheme. Say you distribute shares in a 4 out of 7 scheme (ABCDEF) and share A is published on the web. How do you recover from the remaining 3 out of 6 scheme into a 4 out of 6 scheme without having a key ceremony? In an ad-hoc multi-party scheme, you request 4 of the remaining compliant parties to destroy key material allowing them to participate in a group with the traitor A, but no other key material. No system UI, but admittedly a coordination nightmare! If the system is built to allow resharing then this is no problem. Resharing from a t-out-of-n scheme to an r-out-of-m scheme works as follows: If the secret s is shared using the (otherwise random) polynomial f of degree t then a share consists of (i,f(i)). To reshare, at least t or the original shareholders issue shares of f(i) in an r-out-of-m manner, i.e. take a polynomial gi of degree r and compute m shares (i,j,gi(j)). When these are distributed to the new users, the new users should end up with matching j's. The old shares (i,f(i)) are deleted. Each of the m new users now has t shares (i1,j,gi1(j)), (i2,j,gi2(j)), ... ,(it,j,git(j)). This information can be combined into a single share (j,G(j)) of s by using the Lagrange coefficients of the first scheme. All of this can be decorated with zero knowledge proofs to prove correctness of the shares etc. Note that there is no interaction of the t shareholders and everthing can be done remotely. In the scenario that one share A is published it's enough to have t-1 users help in the resharing since every new user can use the public information. On the other hand that's a mess to program, so it's more resonable to ask t of the remaining shareholders to help. Doesn't sound like a coordination nightmare to me. For all this in a more general setting see e.g. Redistributing Secret Shares to New Access Structures and Its Applications by Yvo Desmedt and Sushil Jajodia (1997) http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.45.3353 Does this answer the question? Yes, or at least it gives a good sense that these issues has been dealt with in the cryptographic literature. It seems to fulfill the operational requirements (obviously when a good faith participant receives new shares from a remote party, a trust relationship is needed, but that is a given irrespective of the underlying crypto). Thanks a lot for your answer! Regards, -- - Thierry Moreau Tanja - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: A mighty fortress is our PKI, Part II
Kaspersky: Sham Certificates Pose Big Problem for Windows Security http://www.ecommercetimes.com/story/70553.html from above .. Windows fails to clearly indicate when digital security certificates have been tampered with, according to Kaspersky Lab's Roel Schouwenberg, and that opens a door for malware makers. ... snip ... -- virtualization experience starting Jan1968, online at home since Mar1970 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
EFF/iSEC's SSL Observatory slides available
http://www.eff.org/observatory We have downloaded a dataset of all of the publicly-visible SSL certificates, and will be making that data available to the research community in the near future. So, keep an eye on that page. The data is very useful. Many more interesting conclusions remain to be drawn from the data; once it's out (I'm told Real Soon Now), you can chew on it yourself and find things out that Eckersley and Burns haven't gotten to yet. Highlights from the slide deck are troubling: * In addition to the implausibly large and diverse group of CAs you trust, you also completely trust all the intermediary signers they they've signed. Including, of course, DHS (slide 42). (See also: Soghoian and Stamm, Certified Lies.) Windows and Firefox trust 1,482 CA certs (651 organizations). * Of 16 M IPs listening on 443, 10.8 M started SSL handshake; of those, 4.3 M used CA-signed cert chains (slide 14). Thus, the majority of servers use invalid/invalid/self-signed certs. * The invalid certs contain all kinds of bad stuff (see slide 16). * The valid certs contain all kinds of bad stuff (see the rest of the slide deck). * CAs re-use keypairs in new certs to prolong the effective life (slide 28). * Many CAs sign reserved/private names. Several CAs have signed e.g. 192.168.1.2. That host is certified to live in many countries by many CAs. One CA thinks its identity is the same as a public/routable IP. * The single most often signed name is localhost (6K distinct certs for that subject name). Many CAs have signed that name many times; a few CAs only signed it once. This suggests many CAs don't even track the names they've signed to make sure they don't get tricked into signing a name twice. Never mind the fact that they shouldn't be signing private names in the first place... A colleague of mine got a CA-signed cert for mail. Could that be a problem? :) * Your browser trusts two signing certs that use a 512-bit RSA key (slide 32). * The bad Debian keys are not dead, and 530 are CA-signed. 73 of the 530 are revoked. I am, as you know, predisposed to interpret Eckersley's and Burns's findings as damning for the entire trusted third party with no accountability idea --- Trent Considered Harmful. But even CA/TTP proponents must admit that our current system has failed hard: in principle, and empirically. Any new system must include a substantial answer to the numerous fatal problems Eckersley, Burns, and Ristic have observed. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: EFF/iSEC's SSL Observatory slides available
They tell me they will be releasing the data both raw and as a MySQL database, so you can learn interesting things just by writing SQL queries. So, keep an eye on that page. The data is very useful. Many more interesting conclusions remain to be drawn from the data; once it's out (I'm told Real Soon Now), you can chew on it yourself and find things out that Eckersley and Burns haven't gotten to yet. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: A mighty fortress is our PKI, Part II
Anne Lynn Wheeler wrote: Kaspersky: Sham Certificates Pose Big Problem for Windows Security http://www.ecommercetimes.com/story/70553.html from above .. Windows fails to clearly indicate when digital security certificates have been tampered with, according to Kaspersky Lab's Roel Schouwenberg, and that opens a door for malware makers. Huh? I don't understand the argument being made here. Obviously Windows can't distinguish an unsigned executable from one where the was a signature that has been stripped. How could it possibly do that? Signatures are largely a distraction from the real problem: that software is (unnecessarily) run with the full privileges of the invoking user. By all means authenticate software, but that's not going to prevent malware. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com signature.asc Description: OpenPGP digital signature