Re: Security of Mac Keychain, File Vault
Jerry Leichter wrote: The article at http://www.net-security.org/article.php?id=1322 claims that both are easily broken. I haven't been able to find any public analyses of Keychain, even though the software is open-source so it's relatively easy to check. I ran across an analysis of File Vault not long ago which pointed out some fairly minor nits, but basically claimed it did what it set out to do. The article makes a bunch of other claims which aren't obviously unreasonable. Anyone one know of more recent analysis of Mac encryption stuff? (OS bugs/security holes are a whole other story) The last page of the article has references and this: MacMarshal. The best Mac tool I ve seen so far, it is right now the number 1 Mac tool. MacMarshall can parse user account information , Address Book, Safari, iChat, and can even crack File Vault. This is free to Law Enforcement. But on another page we find: http://www.macosxforensics.com/Analysis/CrackingFileVault/CrackingFileVault.html Cracking FileVault is a bit of a misnomer. As of this writing, here is not a known flaw in the 128 bit AES encryption that is being used. When attempting to open a FileVault encrypted Home directory, there are two methods which can be used: Brute Force Brute Force with a dictionary attack [...] Much faster utilities such as crowbarDMG and Mac Marshal are now available which will give you speeds Spartan will never attain in its current form. So, this seems to be all about dictionary attacks. More troublesome is the claim by the forensic expert that the best tool to analyze a mac filesystem is a mac, which he just proclaimed as insecure. This calls for a disaster: A trojan that targets forensic examiners... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Unexpected side-effects
Jerry Leichter wrote: Well, here I'll expect one. :-) Not a new idea, although I don't know where I heard it the first time. As there is increasing pressure to keep records of Internet use, there will be a counter-move to use VPN's which promise to keep no records. Which will lead to legal orders that records be kept, with no notification to those being tracked. Enter secure remote attestation - rendering it impossible for an appropriately defined non-logging implementation to start logging without giving this fact away. Probably off-topic for this list, but this doesn't make much sense to me, as such non-logging implementations likely will be just as illegal as notifying the client of the change, which seems an overall better solution if you are willing to break the law (provided you can hide the notification from authorities). [In Germany, means of surveillance are required by law, as is record keeping]. Getting back on topic, cryptographically speaking, it's also quite possible to just monitor all ingoing and outcoming traffic and correlate one with the other. Preventing this is not easy, even if encryption is used. Maybe it'll be the pirates who make the first large-scale use of those TPM's! Maybe, and this would be a major confirmation that TPM actually works at any non-trivial scale. I can't see it, though. Thanks, Marcus - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Judge orders defendant to decrypt PGP-protected laptop
Adam Fields wrote: On Tue, Mar 03, 2009 at 12:26:32PM -0500, Perry E. Metzger wrote: Quoting: A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age. http://news.cnet.com/8301-13578_3-10172866-38.html The privacy issues are troubling, of course, but it would seem trivial to bypass this sort of compulsion by having the disk encryption software allow multiple passwords, each of which unlocks a different version of the encrypted partition. When compelled to give out your password, you give out the one that unlocks the partition full of kitten and puppy pictures, and who's to say that's not all there is on the drive? In this particular case, the border guard already saw the supposedly incriminating documents, but they failed to properly secure the evidence (the picture on the laptop) at that time. When they shut down the laptop, the evidence was locked down by the encryption due to the removal of the encryption key from RAM. Securing digital evidence is a big problem for law enforcement. So, if the defense then discloses a different encryption drive with only kitten and puppy pictures, they will be in very big trouble, as there is already testimony that other files exist. The defense is asked to produce the documents in question. I don't know much about the legal bells and whistles that apply to such a case, but here are some ideas: * Maybe the defense could ask the prosecution to describe which pictures they want to have in particular, and the defense can make a case to just produce those particular pictures. However, the prosecution can probably just demand to produce all files within particular folders, which are easier to recall and more likely to hit something interesting. * Maybe the defense can argue that they lost the password and thus access to the document. They'd better make a convincing argument that they really can not recover it. It would be great if that argument is tied to the police confiscating the equipment. Maybe the password was written in invisible ink on the laptop and needs to be rewritten every day or it washes away... * I wonder if it may not be a better strategy to reveal the password and then argue that the pornography is legal or widely available on the internet, supposing it really is just generic internet porn. OTOH, some material may be legal only in some countries. A couple of consequences: * The safest thing to do is to do a clean operating system install before traveling. * If you use encryption, shut it down before crossing the border. * Computers have too many documents in a single, easily accessible location. If the files were more dispersed, the defense might be able to weasel out by producing fewer documents. Nobody would bring a meter-high stack of porn magazines from Amsterdam in their luggage, but with cheap mass storage it's a different situation. Also, this information is easily explorable by everyone using the file manager. Maybe hierarchical organization is not the best way to store such documents. A searchable database that limits the number of results may offer some protection against stumbling over something interesting. * Online storage may be an attractive solution for border crossing without leaving documents at home. The internet is a big smuggling ring that easily avoids border guards. Marcus - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: X.509 certificate overview + status
Travis wrote: Recently I set up certificates for my server's SSL, SMTP, IMAP, XMPP, and OpenVPN services. Actually, I created my own CA for some of the certificates, and in other cases I used self-signed. It took me substantially more time than I had anticipated, and I'm left with feelings of unease. Welcome to the club! Further, trying to dig into ASN.1 was extremely difficult. The specs are full of obtuse language, using terms like object without defining them first. Are there any tools that will dump certificates in human-readable formats? I would really like something that could take a PEM file of a cert and display it in XML or something of the sort. Ubuntu comes with dumpasn1. There are also quite a few libraries. I'm plowing through the O'Reilly OpenSSL book, but are there other resources out there that could help me, or others like me? You should be aware of Peter Gutmann's style guide: http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt Thanks, Marcus - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow
Weger, B.M.M. de wrote: In my view, the main lesson that the information security community, and in particular its intersection with the application building community, has to learn from the recent MD5 and SHA-1 history, is that strategies for dealing with broken crypto need rethinking. On the other hand, compared to many other aspects of our security infrastructure, even MD5 does quite well. Of course, that is not meant to be taken as an excuse. I agree with your call to have smooth transition systems to go from one cipher to another, but when to make the transition is a difficult decision to make. PS: I find it ironic that the sites (such as ftp.ccc.de/congress/25c3/) offering the video and audio files of the 25c3 presentation MD5 considered harmful today, provide for integrity checking of those files their, uhm, MD5 hashes. It seems to me they are only provided to protect against transmission errors, and they are fine for that. Otherwise, it would be a more serious mistake to transfer them in-band. Security is a spectrum. Thanks, Marcus - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: A History of U.S. Communications Security
Pehr Söderman wrote: Freshly declassified and a rather interesting read: A History of U.S. Communications Security (Volumes I and II, 1973) David G. Boak Lectures, National Security Agency (NSA) http://www.governmentattic.org/2docs/Hist_US_COMSEC_Boak_NSA_1973.pdf (From Bruce Schneier/Governmentattic) I like the informal style of the document, it's an easy read, even if one is not an intelligence buff. In the first volume, all but the first and last chapters are redacted (what is left is an introduction and TEMPEST). The second volume is more intact, and has some history DES, and a view on public key cryptography before affordable general computers. Certainly other things of which I don't realize the significance... Some of the redactions may be easily guessable, I fancy iron curtain, embassy, and later Russia on page 97. Why do they even bother? This would be a good exercise for some student to write a program doing a dictionary attack on the text using the properties of the used font. The last page has a puzzle, an innocent text system (steganography). Didn't solve it yet, but I think I found the clue, a misspelling of be advised to he advised. Thanks, Marcus - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
