Re: Al Qaeda crypto reportedly fails the test
In message [EMAIL PROTECTED], John Denker writes: Here's a challenge directly relevant to this group: Can you design a comsec system so that pressure against a code clerk will not do unbounded damage? What about pressure against a comsec system designer? If I understand your question correctly, in 1994 a VPN product was fielded that had this capability. It did not have any capability for static group or tunnel keys. It was only RSA/DH using DH for the tunnel key and RSA only for authentication. The device had perfect forward secrecy because the use of RSA disclosed nothing about the tunnel keys, and complete RSA secret disclosure would only divulge that the D-H was authentic. The DH private keys were use once random and the public parameters, well, public. The user could set the tunnel lifetime short or long, their choice. In this case, the code clerk had no direct access to the key material and could not set static keys even if they tried. The box was not tamper resistant, but it was not easy to remove the keys even with physical access. The device did not have a group password (current Cisco IPSEC vulnerability) and used an invitation scheme to bring new nodes in. Link to Cisco notice is here http://tinyurl.com/6jovo Once the system was fielded, pressure on the systems designer could not change this. In essence, there was no code clerk. One can argue that the network administrator is the code clerk, but that person could still wire around the VPN device or attach a completely separate backdoor to to cause, as you say, unbounded damage in a way that does not compromise the comsec system. This was one of the original proposals for IPSEC, but was not selected (but that is another story). Subsequent generations of this device are still being built and sold from http://www.blueridgenetworks.com/ So, as long as I have understood your question, such systems have existed for some time. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Websites, Passwords, and Consumers (Re: CRYPTO-GRAM, August 15, 2004)
At 11:26 PM -0500 8/14/04, Bruce Schneier wrote: Websites, Passwords, and Consumers Criminals follow the money. Today, more and more money is on the Internet. Millions of people manage their bank accounts, PayPal accounts, stock portfolios, or other payment accounts online. It's a tempting target: if a criminal can gain access to one of these accounts, he can steal money. And almost all these accounts are protected only by passwords. If you're reading this essay, you probably already know that passwords are insecure. In my book Secrets and Lies (way back in 2000), I wrote: Over the past several decades, Moore's Law has made it possible to brute-force larger and larger entropy keys. At the same time, there is a maximum to the entropy that the average computer user (or even the above-average computer user) is willing to remember These two numbers have crossed; password crackers can now break anything that you can reasonably expect a user to memorize. On the Internet, password security is actually much better than that, because dictionary attacks work best offline. It's one thing to test every possible key on your own computer when you have the actual ciphertext, but it's a much slower process when you have to do it remotely across the Internet. And if the website is halfway clever, it'll shut down an account if there are too many -- 5?, 10? -- incorrect password attempts in a row. If you shut accounts down soon enough, you can even make four-digit PINs work on websites. This is why the criminals have taken to stealing passwords instead. Phishing is now a very popular attack, and it's amazingly effective. Think about how the attack works. You get an e-mail from your bank. It has a plausible message body, and contains a URL that looks like it's from your bank. You click on it and up pops your bank website. When asked for your username and password, you type it in. Okay, maybe you or I are aware enough not to type it in. But the average home banking customer doesn't stand a chance against this kind of social engineering attack. And in June 2004, a Trojan horse appeared that captured passwords. It looked like an image file, but it was actually an executable that installed an add-on to Internet Explorer. That add-on monitored and recorded outbound connections to the websites of several dozen major financial institutions and then sent usernames and passwords to a computer in Russia. Using SSL didn't help; the Trojan monitored keystrokes before they were encrypted. The computer security industry has several solutions that are better than passwords: secure tokens that provide one-time passwords, biometric readers, etc. But issuing hardware to millions of electronic banking customers is prohibitively expensive, both in initial cost and in customer support. And customers hate these systems. If you're a bank, the last thing you want to do is to annoy your customers. But having money stolen out of your account is even more annoying, and banks are increasingly fielding calls from customer victims. Even though the security problem has nothing to do with the bank, even though the customer is the one who made the security mistake, banks are having to make good on the customers' losses. It's one of the most important lessons of Internet security: sometimes your biggest security problems are ones that you have no control over. The problem is serious. In a May survey report, Gartner estimated that about 3 million Americans have fallen victim to phishing attacks. Direct losses from identity theft fraud against phishing attack victims -- including new-account, checking account and credit card account fraud -- cost U.S. banks and credit card issuers about $1.2 billion last year (in 2003). Keyboard sniffers and Trojans will help make this number even greater in 2004. Even if financial institutions reimburse customers, the inevitable result is that people will begin to distrust the Internet. The average Internet user doesn't understand security; he thinks that a gold lock icon in the lower-right-hand corner of his browser means that he's secure. If it doesn't -- and we all know that it doesn't -- he'll stop using Internet financial websites and applications. The solutions are not easy. The never-ending stream of Windows vulnerabilities limits the effectiveness of any customer-based software solution -- digital certificates, plug-ins, and so on -- and the ease with which malicious software can run on Windows limits the effectiveness of other solutions. Point solutions might force attackers to change tactics, but won't solve the underlying insecurities. Computer security is an arms race, and money creates very motivated attackers. Unsolved, this type of security problem can change the way people interact with the Internet. It'll prove that the naysayers were right all along, that the Internet isn't safe for electronic commerce. Phishing: http://www.msnbc.msn.com/id/5184077/
RPOW - Reusable Proofs of Work
--- begin forwarded text To: [EMAIL PROTECTED] Subject: RPOW - Reusable Proofs of Work Date: Sun, 15 Aug 2004 10:43:09 -0700 (PDT) From: [EMAIL PROTECTED] (Hal Finney) Sender: [EMAIL PROTECTED] I'd like to invite members of this list to try out my new hashcash-based server, rpow.net. This system receives hashcash as a Proof of Work (POW) token, and in exchange creates RSA-signed tokens which I call Reusable Proof of Work (RPOW) tokens. RPOWs can then be transferred from person to person and exchanged for new RPOWs at each step. Each RPOW or POW token can only be used once but since it gives birth to a new one, it is as though the same token can be handed from person to person. Because RPOWs are only created from equal-value POWs or RPOWs, they are as rare and valuable as the hashcash that was used to create them. But they are reusable, unlike hashcash. The new concept in the server is the security model. The RPOW server is running on a high-security processor card, the IBM 4758 Secure Cryptographic Coprocessor, validated to FIPS-140 level 4. This card has the capability to deliver a signed attestation of the software configuration on the board, which any (sufficiently motivated) user can verify against the published source code of the system. This lets everyone see that the system has no back doors and will only create RPOW tokens when supplied with POW/RPOW tokens of equal value. This is what creates trust in RPOWs as actually embodying their claimed values, the knowledge that they were in fact created based on an equal value POW (hashcash) token. I have a lot more information about the system at rpow.net, along with downloadable source code. There is also a crude web interface which lets you exchange POWs for RPOWs without downloading the client. This system is in early beta right now so I'd appreciate any feedback if anyone has a chance to try it out. Please keep in mind that if there are problems I may need to reload the server code, which will invalidate any RPOW tokens which people have previously created. So don't go too crazy hoarding up RPOWs quite yet. Thanks very much - Hal Finney --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Cyber Fears On Fed's Web Plan
http://www.nypost.com/business/18671.htm The New York Post CYBER FEARS ON FED'S WEB PLAN By HILARY KRAMER Email Archives Print Reprint August 15, 2004 -- With little fanfare, the Federal Reserve will begin transferring the nation's money supply over an Internet-based system this month - a move critics say could open the U.S.'s banking system to cyber threats. The Fed moves about $1.8 trillion a day on a closed, stand-alone computer network. But soon it will switch to a system called FedLine Advantage, a Web-based technology. Proponents say the system is more efficient and flexible. The current system is outdated, using DOS - Microsoft's predecessor to the Windows operating system. But security experts say the threat of outside access is too big a risk. The Fed is now going to be vulnerable in two distinct ways. A hacker could break in to the Fed's network and have full access to the system, or a hacker might not have complete access but enough to cause a denial or disruptions of service, said George Kurtz, co-author of Hacking Exposed and CEO of Foundstone, an Internet security company. If a security breach strikes the very heart of the financial world and money stops moving around, then our financial system will literally start to collapse and chaos will ensue. FedLine is expected to move massive amounts of money. Currently, Fedwire transfers large-dollar payments averaging $3.5 million per transaction among Federal Reserve offices, financial institutions and federal government agencies. Patti Lorenzen, a spokeswoman for the Federal Reserve, said the agency is taking every precaution. Of course, we will not discuss the specifics of our security measures for obvious reasons, she said. We feel confident that this system adheres to the highest standards of security. Without disclosing the specifics, it is important to note that our security controls include authentication, encryption, firewalls, intru sion detection and Federal Reserve conducted reviews. Ron Gula, president of Tenable Network Security and a specialist in government cyber security, said he's sure the Fed is taking every precaution. But no system is 100 percent foolproof. If the motive was to manipulate the money transferring, there are Tom Clancy scenarios where there are ways to subvert underlying technologies, Gula said. For example, a malicious programmer can put something in the Fed's network to cause the system to self-destruct or to wire them money. The biggest concern isn't the 13-year-old who hacks into the Fedwire and sends himself some money - it's terrorism. On July 22, the Department of Homeland Security released an internal report saying a cyber attack could result in widespread disruption of essential services ... damag(ing) our economy and put(ting) public safety at risk. But the Fed's undertaking of this massive overhaul is considered a necessity. Our strategy is to move to Web-based technology because there are inherent limitations with DOS based technology and our goal is to provide better and robust product offerings to meet our customers' needs, said Laura Hughes, vice president of national marketing at the Chicago Fed, which has spearheaded this program. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
The New Digital Media: You Might Have It, But Not Really Own It
Anyone who knows about cryptography quickly comes to the conclusion that if it's encrypted, and I have the key it's *my* property. It doesn't matter what the lawyers say -- or even the guys they hire with guns at your friendly local geographic force monopoly. :-). Now if we can figure out a way to pay for that property cheap enough that nobody *cares* who owns it, as long as they get paid... Cheers, RAH --- http://online.wsj.com/article_print/0,,SB109260940215891895,00.html The Wall Street Journal August 16, 2004 PORTALS The New Digital Media: You Might Have It, But Not Really Own It By NICK WINGFIELD Staff Reporter of THE WALL STREET JOURNAL August 16, 2004 Buying music used to be simple: You coughed up $14 or so for a CD, and as long as you didn't bootleg it or charge crowds of people to listen to it, the music was yours. The Internet and other technologies are changing all that, opening up a slew of new options for purchasing entertainment, be it music or movies or games. That's a good thing. The not-so-good thing is that in the next few years, the sheer number and complexity of those new options are likely to bewilder many consumers. You may no longer be able to own a movie or own a CD, at least in the sense those phrases have been used. Instead, you will merely have rights to the content, enforced by technology. Those rights might change over time, even at the whim of the music or movie company you get them from. The technology allowing all this is called digital-rights management, or DRM. It's a kind of invisible software lock securely bolted onto a song or movie. Being software, it's a very flexible sort of lock. A music label, for example, might let you download a song free and then listen to it for a day, but then require you to pay up to keep on listening. For a taste of what DRM might bring, check out Apple Computer's iTunes Music Store, which sells songs for 99 cents. ITunes comes with a DRM system that prevents customers from playing those songs on more than five computers, or burning more than seven identical lists of songs onto CDs. (Before you can play a song on a sixth computer, you need to use the DRM software to de-authorize it from one of the first five machines.) Of course, no such technical limits exist on normal music CDs, though recording companies, especially in Europe, are experimenting with restrictions. Some iTunes users are grumbling. In June, science-fiction writer Cory Doctorow gave a talk critical of DRM technology in which he related how he hit Apple's limit on the number of computers he could play his music on -- three machines at the time. One computer was in the shop, another was at his parents' house and a third was a defective machine he had returned to Apple -- without first remembering to de-authorize his music on it so he could play it on another machine. As a result, Mr. Doctorow said he was unable to listen to hundreds of dollars worth of music. Apple says such problems aren't common, especially since the company upped its computer limit to five in April. But that change itself was a lesson in the power of DRM: Apple's increase was retroactive, and applied to all songs, not just those purchased after the change took effect. In this case, Apple gave users more liberal rights. (It also curbed some types of CD burning, but the change didn't apply to previously purchased music.) However, there's nothing preventing Apple from making its DRM retroactively more restrictive -- though the company says that's unlikely. Apple set up the iTunes DRM as a way of getting the big labels -- badly burned by the original Napster -- comfortable with music online. It deserves credit for helping legalize digital music: iTunes has had more than 100 million downloads. And even with the restrictions, iTunes customers more or less own their music once they've bought it. By contrast, consumers only rent music at subscription services like RealNetworks's Rhapsody, which typically charge a $10 or so monthly fee for playing as much music as customers want. The catch: Rhapsody subscribers can play their songs only on their PCs, not portable audio players, and only as long as they keep paying their monthly bills. That's the main reason these rental sites haven't done as well as iTunes. (By the end of this year, a new version of Microsoft's DRM will allow subscription users to transfer content to portable players.) It's not just Internet music that's getting more complicated. Most of today's movie DVDs contain restrictions that prevent users from copying them, or playing them in a different geographic region from where they are bought. But Hollywood studios, along with technology and consumer electronic companies, are working on a new generation of DVDs that will, in addition to holding more data for high-definition movies, also have a much more flexible DRM. As a result, different studios might end up imposing different DVD restrictions. You may, for