browser vendors and CAs agreeing on high-assurance certificates
http://news.com.com/Browsers+to+get+sturdier+padlocks/2100-1029_3-5989633.html?tag=st.rn The article is a bit long-winded and short on details, but the basic message is simple: too many CAs have engaged in a price- and cost-driven race to the bottom; there are thus too many certificates being issued that aren't really trustworthy. A group of CAs and browser vendors have been meeting; they've agreed on a set of standards for certificates that represent more checking by the CA. Browsers will be enhanced to display a different sort of notification -- for IE, a green address bar. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: browser vendors and CAs agreeing on high-assurance certificates
In message [EMAIL PROTECTED], James A. Donald writes: -- Has anyone been attacked through a certificate that would not have been issued under stricter security? The article does not mention any such attacks, nor have I ever heard of such an attack. If no attacks, this is just an excuse for higher priced holy water, an attempt to alter the Browser interface to increase revenue, not increase security - to solve the CA's problem, not solve the user's problem. The very first phishing attack I ever heard of was for paypa1.com. As I recall, they did have a certificate. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A small editorial about recent events.
In message [EMAIL PROTECTED], Perry E. Metzger writes: I have been unable to find any evidence in the text of said resolutions that they in any way altered or amended the law on this, even temporarily. Perhaps it is the argument of the President's lawyers that something analogous to a state of war was authorized, but the fact that there is a time limit even when an explicit declaration of war exists leads me to disbelieve such arguments on their face. The resolution very clearly did not change the text of the law. As you noted, it's easy to verify that. There's ample legal precedent that says that a president can't just ignore a law he doesn't like. One case that comes to mind is the Youngstown steel seizure case. Truman nationalized the steel companies to head off a threatened strike. There was a law on the books that would have let him stop the strike. For political reasons -- the Taft-Hartley Act was passed over his veto -- he didn't want to use it. The Supreme Court didn't buy it, even though the U.S. was at war (Korea) and steel is obviously a vital war material. There's a good summary of the case, including most of the Court's opinion at http://usinfo.state.gov/usa/infousa/facts/democrac/59.htm -- ironically enough, a State Department web site where their own commentary says From a constitutional standpoint, Youngstown remains one of the great modern cases, in that it helped to redress the balance of power among the three branches of government, a balance that had been severely distorted by ... the subsequent postwar search for global security. The Court reject Truman's contention that he had the power as head of the military: we cannot with faithfulness to our constitutional system hold that the Commander in Chief of the Armed Forces has the ultimate power ... This is a job for the Nation's lawmakers, not for its military authorities. The Court also noted that Congress rejected an amendment which would have authorized such governmental seizures in cases of emergency. Given that the Patriot Act did amend various aspects of the wiretap statute, it's hard to understand how the administration's reading is justified in any way, shape, or form. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: RNG quality verification
In message [EMAIL PROTECTED], Philipp =?utf-8?q?G=C3=BChrin g?= writes: Hi Peter, Easily solveable bureaucratic problems are much simpler than unsolveable mathematical ones. Perhaps there is some mis-understanding, but I am getting worried that the common conception seems to be that it is an unsolveable problem. What is wrong with the following black-box test? * Open browser * Go to a dummy CA´s website * Let the browser generate a keypair through the keygen or cenroll.dll * Import the generated certificate * Backup the certificate together with the private key into a PKCS#12 container * Extract the private key from the backup * Extract p and q from the private key * Extract the random parts of p and q (strip off the first and the last bit) * Automate the previous steps with some GUI-Automation system * Concatenate all random bits from all the keypairs together * Do the usual statistical tests with the random bits Is this a valid solution, or is the question of the proper usage of random numbers in certificate keying material really mathematically unsolveable? (I am not a RSA specialist yet, I tried to stay away from the bit-wise details and the mathematics, so I might be wrong) But I would really worry, if it is mathematically impossible to attestate the correct usage (to a certain extent, I know about the statistical limitations) of random numbers with the software I am using to get certificates. It's really unsolvable, in several different ways. First -- you just cannot tell if a single number is random. At best, you can look at a large selection of numbers and see if they fit certain randomness tests. Even that isn't easy, though there are several packages that will help. The best-known one is DIEHARD; ask your favorite search engine for diehard random. However -- and it's a big however -- numbers that are random enough for statistical purposes are not necessarily good enough for cryptographic purposes. As several people have pointed out already, there are processes involving cryptographic algorithms that produce very random sequences, but are in fact deterministic to someone who knows a secret. In other words, if you don't control the generator, it's not possible to distinguish these two cases. In fact, any cipher or hash function whose output was easily distinguishable from a true- random source would be rejected by the cryptographic community. Furthermore, even if the generator is good, if the machine using the certificates has been compromised it doesn't matter, because the malware can steal the secret key. What this boils down to is that you either trust the endpoint or you don't. Finally, even if it were possible for you to verify that p and q were random, you *really* don't want to do that -- you *never* want to see users' secret keys, because that exposes the keys to danger and hence you to liability. Let me make an alternative suggestion. Pick two or three key generation packages -- as I recall, both Firefox and IE have such -- generate a lot of keys, and run them through DIEHARD. Then warn your users to use only approved mechanisms for generating their certificate requests -- you just can't do any better. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
What phishers want
In message [EMAIL PROTECTED], James A. Donald writes: -- You wrote: 2. Phishers are after shared secrets, so secure each shared secret, and thus each relationship, with SRP-TLS-OpenSSL This also requires that establishing a relationship, and verifying a shared secret, should be part of the browser chrome, rather than a particular application of generic web forms. No -- what phishers are after is money. They get that today by going after shared secrets. If banks change, they'll change. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: phone records for sale.
In message [EMAIL PROTECTED], Perry E. Metzger writes: The Chicago Sun Times reports that, for the right price, you can buy just about anyone's cell phone records: http://www.suntimes.com/output/news/cst-nws-privacy05.html Quite disturbing. Yes, but it's also bad reporting -- the newspaper neglected to call the cell phone companies and ask what their privacy policies are. What happened may have been 100% legal and explicitly permitted by law... 18 USC 2702(a)(3) says a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity. 18 USC 2702(c) says A provider described in subsection (a) may divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by subsection (a)(1) or (a)(2)) ... (6) to any person other than a governmental entity. See http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_2702000-.html for the full text. The first time I read that last clause, I couldn't believe it; I actually went and looked up the legislative history. I found that Congress wanted to permit sale for marketing or financial reasons, but wanted to limit the power of the government. (The Supreme Court had ruled previously that individuals had no expectation of privacy for phone numbers they'd dialed, since they were being given voluntarily to a third party -- the phone company.) If the phone companies are not giving it out voluntarily, perhaps they're being tricked or perhaps they have corrupt employees. From my experience, one way you authenticate yourself to a cell phone company is by social security number, and those aren't exactly hard to find. That possibility suggests using stronger authentication, but of course that gets in the way of customer service for the 99.99% of queries that are legitimate. (I've had to call my company from abroad, more than once, on fairly urgent matters. I had no easy access to, say, my last bill.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
SIGINT and the prisoner rendition scandal
Without going into the details of the purported CIA rendition of prisoners to other countries (it's not torture; we're just outsourcing interrogration to places with less legal overhead), there may be a SIGINT connection. The following text appeared in an AP wire story today about a purported Egyptian government document: But Dick Marty, a Swiss senator leading the probe on behalf of the Council of Europe, said it was still not clear that the document -- a fax reportedly sent by satellite transmission from Egypt's Foreign Ministry to its embassy in London -- was genuine. ... Marty also said he wondered how Swiss intelligence intercepted a fax allegedly sent from Egypt to London. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
quantum chip built
http://www.wired.com/news/technology/0%2c70001-0.html?tw=wn_tophead_5 ... So, on a semiconductor chip roughly the size of a postage stamp, the Michigan scientists designed and built a device known as an ion trap, which allowed them to isolate individual charged atoms and manipulate their quantum states. ... The new chip, which is made of gallium arsenide, should be easily scaled and mass-produced, because it's made using microlithography -- the same process that makes microchips. ... --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
standards being adopted for encrypting stored data
http://www.networkworld.com/news/2005/121505-tape-encryption.html Proposed standards for protecting data on disk or tape are gathering steam within the IEEE and could be supported in products as soon as next year, according to proponents. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
NSA explains how to redact documents electronically
http://www.fas.org/sgp/othergov/dod/nsa-redact.pdf One wonders how long it will be till someone finds an error... --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NSA explains how to redact documents electronically
In message [EMAIL PROTECTED], John Levine writes: http://www.fas.org/sgp/othergov/dod/nsa-redact.pdf One wonders how long it will be till someone finds an error... Even if it's right, it's so complicated that it seems rather optimistic to expect people to follow it correctly every time. I agree. It's also very dependent on the exact options that Microsoft and Adobe have currently implemented. Minor changes could screw this up completely. I don't claim to be a big security guru, but if I were planning to distribute a redacted PDF document, I'd render it to a bitmap, then turn the bitmap back into a PDF and ship that, a digital version of printing it out and scanning it back in. On Unixish systems, one can do that in about five minutes with freeware tools like ghostscript and xpdf. That's more or less what they did when they declassified Skipjack, though they may have used a real printer and scanner instead. Some people laughed at NSA's technical ineptitude -- didn't they know how to print to PDF directly? Others realized that NSA understood the problem at a much deeper level. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
serious threat models
I hate to play clipping service, but this story is too important not to mention. Many top Greek officials, including the Prime Minister, and the U.S. embassy had their mobile phones tapped. What makes this interesting is how it was done: software was installed on the switch that diverted calls to a prepaid phone. Think about who could manage that. http://www.guardian.co.uk/mobile/article/0,,1701298,00.html http://www.globetechnology.com/servlet/story/RTGAM.20060202.wcelltap0202/BNStory/International/ --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: GnuTLS (libgrypt really) and Postfix
In message [EMAIL PROTECTED], James A. Donald writes: -- Libgcrypt tries to minimize these coding errors; for example there are no error returns for the RNG - if one calls for 16 bytes of random one can be sure that the buffer is filled with 16 bytes of random. Now, if the environment is not okay and Libgcrypt can't produce that random - what shall we do else than abort the process. This way the errors will be detected before major harm might occur. I'm afraid I consider it instead a weakness in your API design that you have no way to indicate an error return from a function that may fail. The correct mechanism is exception handling. If caller has provided a mechanism to handle the failure, that mechanism should catch the library generated exception. If the caller has provided no such mechanism, his program should terminate ungracefully. Unfortunately, there is no very portable support for exception handling in C. There is however support in C++, Corn, D, Delphi, Objective-C, Java, Eiffel, Ocaml, Python, Common Lisp, SML, PHP and all .NET CLS-compliant languages. Absent exception handling, mission critical tasks should have no exceptions, which is best accomplished by the die-on-error standard. Precisely. I was preparing a post of my own, saying the same thing; you beat me to it. We all agree that critical errors like this should be caught; the only question is at what layer the action should take place. I'm an adherent to the Unix philosophy -- when a decision is made at a lower level, it takes away the ability of the higher level to do something different if appropriate, and this loss of flexibility is a bad thing. As noted, the best answer is a modern language that supports exceptions. (Sorry, SIGABRT and setjmp/longjmp just don't cut it.) Let me suggest a C-compatible possibility: pass an extra parameter to the library routines, specifying a procedure to call if serious errors occur. If that pointer is null, the library can abort. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: GnuTLS (libgrypt really) and Postfix
In message [EMAIL PROTECTED], Werner Koch writes: On Tue, 14 Feb 2006 13:00:33 -0500, Steven M Bellovin said: Let me suggest a C-compatible possibility: pass an extra parameter to the library routines, specifying a procedure to call if serious errors occur. If that pointer is null, the library can abort. I agree. However the case at hand is a bit different. I can't imagine how any application or upper layer will be able to recover from that error (ENOENT when opening /dev/random). Okay, the special file might just be missing and a mknod would fix that ;-). Is it the duty of an application to fix an incomplete installation - how long shall this be taken - this is not the Unix philosophy. It can take context-specific error recovery. Maybe that's greying out the encrypt button on a large GUI. Maybe it's paging the system administrator. It can run 'mknod' inside the appropriate chroot partition, much as /sbin/init on some systems creates /dev/console. It can symlink /dev/geigercounter to /dev/random. It can load the kernel module that implements /dev/random. It can do a lot of things that may be more appropriate than exiting. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
the return of key escrow?
According to the BBC, the British government is talking to Microsoft about putting in a back door for the file encryption mechanisms. http://news.bbc.co.uk/1/hi/uk_politics/4713018.stm --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
distributed password cracking a a product
http://www.net-security.org/article.php?id=901 The really interesting part is the implication that there's still a lot of 40-bit crypto out there... --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NPR : E-Mail Encryption Rare in Everyday Use
In message [EMAIL PROTECTED], Ed Gerck writes: This IS one of the sticky points ;-) If postal mail would work this way, you'd have to ask me to send you an envelope before you can send me mail. This is counter-intuitive to users. I assumed that that was your point, which is why I figured you were trolling. But of course, your analogy is precisely wrong -- I can look people's addresses, physical and electronic. People who want to engage in secure communication publish their keys. I haven't checked Paul's home page; Ben and I both have links to our PGP keys from our web pages. You don't. Your next questions could well be how do you know my key is really mine... how do you know it was not revoked ...all of which are additional sticky point s. In the postal mail world, how'd you know the envelope is really from me or that it is secure? Of course, you know even less about such things in the physical world. But you know that, too. So what is your point? Certainly, usability is an issue. It hasn't been solved because there's no market for it here; far too few people care about email encryption. And they're right -- their email is insecure, but given the environment of the typical desktop system would crypto do any good? We've already seen tailored worms stealing corporate information; we've also seen keystroke loggers and e-theft programs that watch for a login successful screen from your financial provider. How would encrypting email help a businessman in an environment like that? (I know -- have a separate machine used only for encrypting and decrypting files, and use a flash drive to carry ciphertext back and forth. Talk about usability problems) Yes, I can and do send encrypted email. Statistically, I don't do it very often. In all of last year, I sent four such messages, comprising exactly one conversation. My effective security is locked-down hosts, in particular the machine where sensitive inbound mail sits until I pull it down to my laptop. This way, I don't have to trust my employer, my ISP, etc. And I use SSL or SSH -- with checking of the far-side certificates -- for transport. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: bounded storage model - why is R organized as 2-d array?
On Thu, 09 Mar 2006 02:10:58 -0500 [EMAIL PROTECTED] wrote: This is very useful for encrypting things like video streams without an expensive hardware cryptographic accelerator card. I think you vastly overestimate how much hardware one needs to do something like AES. I ran dd if=/dev/zero bs=32k count=1024| openssl speed aes-128-cbc on a 1500 Mhz Athlon. It reported speeds of ~27.5 MBps, or 220 Mbps. Even video isn't that fast, and that's a slow CPU by today's standards. Also -- I don't know how large these random tables have to be, but if they don't fit in cache the cipher will be quite slow -- memory bandwidth hasn't increased nearly as rapidly as CPU speed; modern machines utterly rely on their caches. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Creativity and security
On Sun, 26 Mar 2006 19:07:07 -0800, Joseph Ashwood [EMAIL PROTECTED] wrote: - Original Message - From: J. Bruce Fields [EMAIL PROTECTED] Subject: Re: Creativity and security On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote: IOW, unless we're talking about a corrupt employee with a photographic memory and telescopic eyes, Tiny cameras are pretty cheap these days, aren't they? The employee would be taking more of a risk at that point though, I guess. The one I find scarier is the US restaurant method of handling cards. For those of you unfamiliar with it, I hand my card to the waiter/waitress, the card disappears behind a wall for a couple of minutes, and my receipt comes back for to sign along with my card. Just to see if anyone would notice I actually did this experiment with a (trusted) friend that works at a small upscale restaurant. I ate, she took my card in the back, without hiding anything or saying what she was doing she took out her cellphone, snapped a picture, then processes everything as usual. The transaction did not take noticably longer than usual, the picture was very clear, in short, if I hadn't known she was doing this back there I would never have known. Even at a high end restaurant where there are more employees than clients no one paid enough attention in the back to notice this. If it wasn't a trusted friend doing this I would've been very worried. There was a Dilbert strip on that about 10 years ago. (Jan 11, 1996, according to my saved copy, but it doesn't seem to be available via their web archive.) It shows Dilbert saying that he'd never buy anything online because he doesn't want his credit card number floating around the net. He then hands his credit card to a waitress, who comes back wearing a fur coat. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Enigma for sale on EBay
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=6265092168ruhttp%3A%2F%2Fsearch.ebay.com%3A80%2Fsearch%2Fsearch.dll%3Ffrom%3DR40%26satitle%3D6265092168%26fvi%3D1 http://www.theregister.co.uk/2006/03/29/enigma_for_sale/ --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
wiretapping in Europe
There's a long AP wire story on wiretapping in Europe; see http://www.washingtonpost.com/wp-dyn/content/article/2006/04/08/AR2006040800529.html There are a number of intriguing statements in the article. For example, in Italy 106,000 wiretaps were approved last year. By contrast, in the US there were only about about 1,700 wiretaps in 2004. (That number does not include Foreign Intelligence Surveillance Act wiretaps. It is also unclear to me if the Italian number represents calls tapped, as opposed to court orders issued, which is what the US number represents.) Italian prosecutors strongly defend the need for wiretaps, but called the recent warrantless NSA wiretaps illegal under our judicial traditions. A study at the Max Planck Institute said that Italy, followed by the Netherlands, does the most wiretapping. One of the authors said: wiretaps are much more common on the European continent than in Britain or the United States, where he said there is a more institutionalized mistrust in the relationship between civil society and a state-organized judiciary. He said research showed that wiretaps are often used to support weak cases and seldom help to achieve a guilty verdict. The more wiretaps are used, the lower the conviction rates, he said. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: History and definition of the term 'principal'?
On Wed, 26 Apr 2006 18:33:43 +0200, Hadmut Danisch [EMAIL PROTECTED] wrote: I need to solve a dispute. Someone claims, that 'principal' is an established 'concept' introduced by Roger Needhams, but could not give any citation. Someone else confirms this and claims, that 'principal' is indeed a 'well-introduced' concept, but also can't cite any source or give any definition. There were a number of things that Roger deserves at least some credit for that he never claimed (such as one-way hashing of passwords), at least in part because they were developed at the Eagle Pub. Whether it was modesty on his part, the fact that these things were group efforts, or the fine IPA they serve there I don't know... --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
PGP master keys
In an article on disk encryption (http://www.theregister.co.uk/2006/04/26/pgp_infosec/), the following paragraph appears: BitLocker has landed Redmond in some hot water over its insistence that there are no back doors for law enforcement. As its encryption code is open source, PGP says it can guarantee no back doors, but that cyber sleuths can use its master keys if neccessary. What is a master key in this context? --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: PGP master keys
On Wed, 26 Apr 2006 22:24:22 -0400, Derek Atkins [EMAIL PROTECTED] wrote: Quoting Steven M. Bellovin [EMAIL PROTECTED]: In an article on disk encryption (http://www.theregister.co.uk/2006/04/26/pgp_infosec/), the following paragraph appears: BitLocker has landed Redmond in some hot water over its insistence that there are no back doors for law enforcement. As its encryption code is open source, PGP says it can guarantee no back doors, but that cyber sleuths can use its master keys if neccessary. What is a master key in this context? ADK, the Additional Decryption Key. An enterprise with a Managed PGP Desktop installed base can set up an ADK and all messages get encrypted to the ADK in addition to the recipient's key. Ah -- corporate key escrow. An overt back door for Little Brother, rather than a covert one for Big Brother --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Linux RNG paper
On Thu, 04 May 2006 18:14:09 +0200, markus reichelt [EMAIL PROTECTED] wrote: * Travis H. [EMAIL PROTECTED] wrote: 1) In the paper, he mentions that the state file could be altered by an attacker, and then he'd know the state when it first came up. Of course, if he could do that, he could simply install a trojan in the OS itself, so this is not really that much of a concern. If your hard drives might be altered by malicious parties, you should be using some kind of cryptographic integrity check on the contents before using them. This often comes for free when encrypting the contents. Agreed; but regarding unix systems, I know of none crypto implementation that does integrity checking. Not just de/encrypt the data, but verify that the encrypted data has not been tampered with. See Space-Efficient Block Storage Integrity, Alina Oprea, Mike Reiter, Ke Yang, NDSS 2005, http://www.isoc.org/isoc/conferences/ndss/05/proceedings/papers/storageint.pdf --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Get a boarding pass, steal someone's identity
On Sun, 07 May 2006 12:53:41 -0400, Perry E. Metzger [EMAIL PROTECTED] wrote: I got this pointer off of Paul Hoffman's blog. Basically, a reporter uses information on a discarded boarding pass to find out far too much about the person who threw it away http://www.guardian.co.uk/idcards/story/0,,1766266,00.html The story may be exaggerated but it feels quite real. Certainly I've found similar issues in the past. These days, I shred practically anything with my name on it before throwing it out. Perhaps I'm paranoid, but then again... I read the article. What bothers me is the focus on CAPS II, Secure Flight, and all the other US government-mandated initiatives. I saw nothing in it that seemed in any way related to security. Every one of those database entries could have been there -- and probably were there -- for the convenience of airline passengers. In particular, I'm referring to the ability to check in online and print your own boarding pass. For business travelers who use only carry-on baggage, it's a *major* timesaver. I've been on flights where I had to wait 45-60 minutes (or more) just to get my boarding pass, independent of any security screening. Passport numbers? I've always had to present my passport when checking in for an international flight; the difference now is that I see what's happening. (Yes, US immigration is fussier about passport and customs inspections than most other countries I've visited -- but in my personal experience, that dates back to 1971. It's also less fussy about emigration -- I remember having to listen to fundamentalist religious preaching from an Australian emigration officer some years ago.) The real point here is carelessness with access controls. *That's* what we have to fight. It's certainly better if databases don't exist; as I said, I think that these exist because of customer demand, not government mandates. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Get a boarding pass, steal someone's identity
On Mon, 08 May 2006 10:38:38 -0400, Perry E. Metzger [EMAIL PROTECTED] wrote: The person who sent this asked that I forward it anonymously. From: Subject: Re: Get a boarding pass, steal someone's identity To: Perry E. Metzger [EMAIL PROTECTED] (If you want to post this, please make it anonymous. Thanks.) Have you noticed that airline tickets are once again de-facto transferable? If you print your own boarding pass at home, you can digitally change the name on it before you print. If you have no bags to check, then the person who checks your ID at the security checkpoint has no way to read the bar code, and the person who reads the bar code at the gate does not check your ID. This is hardly either news or sensitive. Schneier described it in CRYPTOGRAM almost 3 years ago (http://www.schneier.com/crypto-gram-0308.html#6), as did Eric Rescorla (http://www.rtfm.com/movabletype/archives/2003_10.html#000546); it's also been in Slate (http://www.slate.com/id/2113157/fr/rss/). --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Phil Zimmerman and voice encryption; a Skype problem?
There's an article in today's NY Times (for subscribers, it's at http://www.nytimes.com/2006/05/22/technology/22privacy.html?_r=1oref=slogin ) on whether Phil Zimmerman's Zfone -- an encrypted VoIP package -- will invite government scrutiny. There doesn't seem to be any imminent threat in the U.S.; the one concrete example mentioned -- the British plan to give police the power to compel individuals to disclose keys -- doesn't threaten Zfone, because it uses Diffie-Hellman for (among other things) perfect forward secrecy and doesn't even have any long-term keys. (See draft-zimmermann-avt-zrtp-01.txt for protocol details.) The fascinating thing, though, was this sentence near the end of the article: But at a conference last week in Cyprus, German officials said they had technology for intercepting and decrypting Skype phone calls, according to Anthony M. Rutkowski, vice president for regulatory affairs and standards for VeriSign, a company that offers security for Internet and phone operations. The Berson report says that Skype uses AES-256. NSA rates that as suitable for Top Secret traffic, so it's presumably not the cipher. Berson analyzed a number of other possible attack scenarios; the only one that seems to be possible is an active attack plus forged certificates. If Berson's analysis was correct -- and we all know how hard it is to verify cryptographic protocols -- that leaves open the possibility of a protocol change that implemented some sort of Clipper-like functionality. A silent change like that would be *very* ominous. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Secure phones from VectroTel?
On Tue, 23 May 2006 11:19:38 -0400, Perry E. Metzger [EMAIL PROTECTED] wrote: Following the links from a /. story about a secure(?) mobile phone VectroTel in Switzerland is selling, I came across the fact that this firm sells a full line of encrypted phones. http://www.vectrotel.ch/ The devices apparently use D-H key exchange to produce a 128 bit AES key which is then used as a stream cipher (presumably in OFB or a similar mode). Authentication appears to be via a 4 digit pin, certainly not the best of mechanisms. A 4-digit PIN using EKE or its successors can be a fine thing for a voice phone -- it's rather hard to brute-force when the other end can't keep up... In fact, we mentioned that in our original EKE paper. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Elizabethan traffic analysis
We tend to think of traffic analysis as a modern technique, but it's actually quite old. Here is a message from a spy, observing the activities of two of (English Queen) Elizabeth I's courtiers, whom he suspected of trying to manipulate her successor: many secret meetings are made between them, where, after serious consults, they dispatch messengers and packets of letters, this sometimes twice in a week. This was in 1602. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Status of attacks on AES?
On Sun, 4 Jun 2006 16:52:38 -0500, Marcos el Ruptor [EMAIL PROTECTED] wrote: http://defectoscopy.com/forum/viewtopic.php?t=3 http://defectoscopy.com/results.html and http://defectoscopy.com/background.html Are there any peer-reviewed descriptions of your technique? Right now, all that site seems to have -- and forgive me if I've missed a link -- is a set of simple assertions about various ciphers, plus a fairly vague background page. Put another way, and I hate to be this blunt, is there any reason to think your results are correct and/or meaningful? --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Status of attacks on AES?
On Wed, 7 Jun 2006 15:02:35 -0500, Marcos el Ruptor [EMAIL PROTECTED] wrote: Right. But can you explain *why* you strongly believe in it? In the last 10 years it never failed to tell the difference between good and bad ciphers. The only thing that makes it controversial is its ability to detect flaws in ciphers believed to be strong simply because no attacks against them are found yet. I shouldn't pursue this, but I will. This is still proof by blatant assertion. It isn't controversial because it's not even worth thinking about. You've claimed that (a) you have a powerful but secret method for analyzing ciphers, and (b) AES fails your tests. That's nice. Suppose I said that when I calculated SHA-512 of the pdf version of the AES standard mod 257 and found that it was prime (it's 5, if my script is correct), and therefore AES was insecure. You'd laugh at me, and rightly so. You say you have a method to evaluate ciphers. Without full details, no one can form their own judgment if it's valid or not. (My proposal clearly isn't valid.) You say you've evaluated AES and other ciphers. Without full details, we don't know if your evaluation is correct. By contrast, see the controversy over the XSL attack an AES. (The Wikipedia article, http://en.wikipedia.org/wiki/XSL_attack, is a good summary.) There are claims and counterclaims, but everything is public. Note in particular Coppersmith's claim that Courtois and Pieprzyk overcounted the number of linearly independent equations -- their basic method may or may not be correct -- Coppersmith himself says that the method has some merit, and is worth investigating -- but they apparently applied it incorrectly. You should also explain why you're keeping the details secret. The market for new block ciphers is tiny. No credible vendor is going to rely on a cipher evaluated by an unproven technique. (For that matter, the near-universal consensus in the open community is proprietary ciphers are generally worthless.) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
mailer certificate retrieval via LDAP?
Are there any common mailers -- open source preferred but not mandatory -- that can query LDAP directories to retrieve X.509 certificates for use in S/MIME messages? Evolution and Thunderbird are both able to send S/MIME, but don't seem to have any easy certificate retrieval mechanisms. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Chinese WAPI protocol?
On Wed, 14 Jun 2006 12:33:46 -0700, Ben Pfaff [EMAIL PROTECTED] wrote: David Wagner [EMAIL PROTECTED] writes: The specification is secret and confidential. It uses the SMS4 block cipher, which is secret and patented. [*] Secret and patented are mutually exclusive. Perhaps not. The Clipper chip may have been patented -- see http://catless.ncl.ac.uk/Risks/15.48.html#subj1 for details. I also don't know what Chinese law is on the subject. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Greek cellular wiretapping scandal
The Greek cellular wiretapping scandal was the subject of a front-page article in today's Wall Street Journal. (It's http://online.wsj.com/article/SB115085571895085969.html?mod=hps_us_pageone for subscribers.) The broad outlines of the story are familiar to anyone who has been following the story -- a Lawful Intercept mechanism was abused to send copies of certain calls to prepaid cell phone numbers -- but the details are interesting. From a non-technical perspective, at least one death may be linked to the incident. A communications expert who was working on the switch apparently commited suicide, but this has been questioned by some. He told his fiancée not long before he died that it had become a matter of life or death that he leave [Vodafone] The problem was discovered when some people had problems sending text messages; the link between the two issues is unclear. The bug itself wasn't simply a matter of turning on Lawful Intercept. That software did exist in the switch, but everyone says it wasn't activated and Ericsson wasn't paid for it. (Aside: Greece does have a CALEA-like law, which means it should have been enabled.) Vodafone denies even knowing about such software, which strikes me as improbable. In addition, the attack required some other software that activated the Lawful Intercept but hid its existence. In other words, it was a rootkit running on a phone switch. I have more than a passing aquaintance with the complexity of phone switch software; doing that was *hard* for anyone, especially anyone not a switch developer. Installing the rogue software quite likely involved authorized access to Vodafone's networks. Most suspicious, the prepaid phones that could pick up the calls were in contact via phone calls and text messages with various overseas destinations, namely the U.S., including Laurel, Md., the U.K., Sweden and Australia, according to the ADAE preliminary report. Some of these calls and messages were initiated and received directly from the 14 interceptor phones and some were relayed via a second group of at least three other prepaid phones that also were in contact with the 14 interceptor phones. Guess what's just to the east of Laurel, MD... On the other hand, exposing links like that is clumsy -- could it be disinformation? And one of the phones monitored was from the American embassy in Athens -- or is that the disinformation? Or is NSA spying on the embassy? You are in a maze of twisty little spooks, all different. The attack was very sophisticated, and required a great deal of arcane knowledge. Whoever did it had detailed knowledge of Ericsson switches, and probably a test lab with the proper Ericsson gear. It strongly suggests that Ericsson and/or Vodafone insiders were involved -- my guess is both. But who did it, and why, remains obscure. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
EMC is buying RSA
http://www.tmcnet.com/usubmit/-emc-announces-definitive-agreement-acquire-rsa-security-further-/2006/06/29/1700560.htm says that EMC is buying RSA. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
cryptanalysis of Galileo satellite navigation signals
The EU Galileo navigation satellite uses a set of pseudo-random numbers to secure access to its data. Galileo is partially investor-funded; part of the business model is to sell access to the data. Some researchers at Cornell took a different approach -- they cryptanalyzed the algorithm... Better yet, they got an opinion from their university lawyer that the DMCA didn't apply. See http://www.newswise.com/articles/view/521790/?sc=rsla for details. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Recovering data from encrypted disks, broken CD's
On Fri, 28 Jul 2006 10:16:23 -0400, [EMAIL PROTECTED] wrote: Encrption can be broken I was surprised to learn that Ontrack regularly recovers encrypted data on systems where the user has lost the key. There's only a couple of technologies where we would run into a roadblock [such as] some of the new laptops that have passwords that are tied to the media and to the BIOS, says Burmeister. That raises the question: if they can do it, who else can? On encrypted systems that are more difficult to crack, OnTrack also has a secret weapon. Certain situations involve getting permission to get help from the manufacturer, he says. I wonder how accurate this is. It's certainly true that some drives have vendor passwords to unlock them. It's hard to see how they could break through (good) software encryption, unless the software vendor -- probably Microsoft -- has implemented some form of key escrow, which to my knowledge they've adamantly opposed doing. In fact, Microsoft just withdrew an add-on feature to provide easy-to-use encrypted folders because corporations didn't like the lack of key recovery. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
NSA running out of electrical power
There have been a number of news articles recently about server farms running into power crunches. NSA, as we all know, has lots of computers. They're running into a power crunch, too, according to http://www.baltimoresun.com/news/nationworld/bal-te.nsapower06aug06,0,5137448.story The story doesn't say so, but I would guess they're having cooling problems, too. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
A lack of US cryptanalytic security before Midway?
The conventional wisdom is that the successful US cryptanalytic efforts against Japanese naval codes was a closely-held secret. I've just stumbled on a source that disputes that. In The Unknown Battle of Midway: The Destruction of the American Torpedo Squadrons (Alvin Kernan, Yale University Press, 2005), the author states: Rumors began to circulate that the Japanese were planning to invade little Midway Atoll and draw our ships out to fight the great sea battle their strategy had long anticipated. Our information, we heard, at the scuttlebutt, came from code breakers... Unbelievably, the Japanese never tumbled throughout the entire war to the fact that their codes had been broken, and the U.S. Navy, equally blindly, continued to believe that its ability to read one after another of the Japanese codes remained a deep, dark secret from its own sailors. But when the American carriers sailed from Pearl Harbor to the Battle of Midway everyone aboard knew what was in the wind and how we knew it. The source for this statement isn't clear. The author himself was an enlisted sailor on one of the American carriers (he was an ordnanceman for a torpedo squadron), so it may be first person knowledge. Later in the second paragraph, there's a footnote to Prange et al's Miracle at Midway, but I don't have that reference. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A lack of US cryptanalytic security before Midway?
On 7 Sep 2006 15:33:15 -, John Levine [EMAIL PROTECTED] wrote: The conventional wisdom is that the successful US cryptanalytic efforts against Japanese naval codes was a closely-held secret. Has the conventional wisdom forgotten that it was reported in the Chicago Tribune in 1942? See, for example, http://www.newseum.org/warstories/essay/secrecy.htm Fortunately, the Navy Department had enough sense not to make a public stink, and the Japanese evidently didn't read the Chicago paper. The URL you cite does not support your claim. It speaks of the successful cryptanalysis of JN-25 as one of the closest kept secrets of World War II. It also notes that the reporter learned of some data just from seeing a piece of paper in a senior officer's quarters, rather than knowning about the real source of the data, and that the Trib's headline -- NAVY HAD WORD OF JAP PLAN TO STRIKE AT SEA -- was not in fact justified by what the reporter had seen and written. In other words, there was not a factual leak of the real secret, though admittedly Japanese counter-intelligence would likely have drawn the proper conclusion had they seen the story. I should note that if Kernan's account is correct, the danger to American SIGINT efforts were far greater than were realized. Three downed American airmen were rescued by Japanese ships; they were then interrogated and executed. None of them (again, according to Kernan) had had proper training on what they should or should not disclose. If, indeed, the fact of cryptanalysis was common knowledge, it was lucky indeed that the proper questions weren't asked -- or if they were asked, they weren't answered, even though at least one of them did give away more information than he should have. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why the exponent 3 error happened:
On Thu, 14 Sep 2006 17:21:28 -0400, Victor Duchovni [EMAIL PROTECTED] wrote: If so, I fear we are learning the wrong lesson, which while valid in other contexts is not pertinent here. TLS must be flexible enough to accommodate new algorithms, this means that the data structures being exchanged are malleable, and that implementations must validate strict adherence to a specifically defined form for the agreed algorithm, but the ability to express other forms cannot be designed out. This, in my view, has little to do with ASN.1, XML, or other encoding frameworks. Thorough input validation is not yet routinely and consistently practiced by most software developers. Software is almost invariably written to parse formats observed in practice correctly, and is then promptly declared to work. The skepticism necessary to continually question the implicit assumption that the input is well-formed is perhaps not compatible with being a well-socialized human. The attackers who ask the right questions to break systems and the few developers who write truly defensive code are definitely well off the middle of the bell-curve. It is not just PKCS#1 or X.509v3 that presents opportunities for crafting interesting messages. MIME, HTTP, HTML, XML, ... all exhibit similar pitfalls. Loosely speaking, this looks like a variant of Goedel's theorem, if the protocol is expressive enough it can express problematic assertions. We can fine-tune some protocols to remove stupid needless complexity, but enough complexity will remain to make the required implementation disciple beyond the reach of most software developers (at least as trained today, but it is not likely possible to design a training program that will a preponderance all strong defensive programmers). A software testing expert once asked me why even good test groups didn't find more of the software holes. I told her it was because the spec said things like must accept input up to 4096 bytes rather than must accept input up to 4096 bytes and must detect and reject longer input strings. I think we're seeing the same thing here -- the spec didn't say must reject, so people who coded to the spec fell victim. As for the not compatible with a well-socialized human -- well, maybe -- I don't think normal people describe themselves as paranoid by profession --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Fw: [Cfrg] Invitation to review Bluetooth Simple Pairing draft specification
Forwarded with permission. Begin forwarded message: Date: Fri, 15 Sep 2006 17:17:55 -0700 From: Robert Hulvey [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Cfrg] Invitation to review Bluetooth Simple Pairing draft specification Hello, My name is Robert Hulvey and I am a Systems Engineer with Broadcom Corp. working on Bluetooth products. I participate in several groups within the Bluetooth Special Interest Group (SIG) including the Core Specification Working Group (CSWG), the Human Interface Device (HID) Working Group, and the Bluetooth Architecture Review Board (BARB). Within the CSWG, we have been developing a feature called Simple Pairing to address the weaknesses which were part of the original Bluetooth specification's pairing mechanism. Our hope is that the new pairing method will be FIPS compliant, and as such we would appreciate your review and feedback on whether we are on track to achieve this goal. Pairing refers to the method of associating 2 devices so that they can communicate via the Bluetooth wireless protocol. Note that Simple Pairing is just a first step, and does nothing to change the Bluetooth encryption mechanism (the Massey-Rueppel stream cipher, also known within the specification as E0). We anticipate changing to AES in counter-mode, similar to what WiFi currently uses, in a future version of the specification. The following is a link to a whitepaper which has been made publicly available for the express purpose of encouraging outside review of the the draft specification. Please feel free to forward this to any other interested parties. See: http://www.bluetooth.com/Bluetooth/Apply/Technology/Research/Simple_Pairing .htm http://www.bluetooth.com/Bluetooth/Apply/Technology/Research/Simple_Pairing. htm Please send any feedback to the address shown in the document ( mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]), but please also copy me at [EMAIL PROTECTED] Thank you for your time. Best Regards, -Rob Robert W. Hulvey Principal Systems Engineer Broadcom Corporation Mobile http://maps.yahoo.com/py/maps.py?Pyt=Tmapaddr=16215+Alton+Parkwaycsz=Irvi ne%2C+CA+92618country=us Wireless Group 16215 Alton Parkway Irvine, CA 92618 [EMAIL PROTECTED] http://www.broadcom.com http://www.broadcom.com/ tel: mobile: 949-926-6239 310-384-0996 https://www.plaxo.com/add_me?u=30065054807v0=565779k0=68427479 Add me to your address book... http://www.plaxo.com/signature Want a signature like this? --Steven M. Bellovin, http://www.cs.columbia.edu/~smb attachment: ConnectBt.jpg
Did Hezbollah use SIGINT against Israel?
http://www.newsday.com/news/printedition/stories/ny-wocode184896831sep18,0,7091966,print.story That isn't supposed to be possible these days... (I regard it as more likely that they were doing traffic analysis and direction-finding than actually cracking the ciphers.) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Exponent 3 damage spreads...
On Thu, 21 Sep 2006 07:00:03 -0400, Whyte, William [EMAIL PROTECTED] wrote: Similarly, the thousands of words of nitpicking standards, bashing ASN.1, and so on ad nauseum, can be eliminated entirely by following one simple rule: Don't use e=3 I'd extend it to don't use e = 17. The PKCS#1 attack will work with e = 17, SHA-512 and RSA-15360, and someone's bound to implement RSA-15360 somewhere to claim 256-bit security. NIST's draft revision of FIPS 186-3 says (b) The exponent e shall be an odd positive integer such that 65,537 = e 2**(nlen - 2*security_strength) where nlen is the length of the modulus n in bits. The security_strength is the work factor for brute force attack on the corresponding symmetric cipher or hash function, i.e., 128 for SHA-256. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Circle Bank plays with two-factor authentication
On Thu, 28 Sep 2006 12:34:24 -0700, Ed Gerck [EMAIL PROTECTED] wrote: Circle Bank is using a coordinate matrix to let users pick three letters according to a grid, to be entered together with their username and password. The matrix is sent by email, with the user's account sign on ID in plaintext. Worse, the matrix is pretty useless for the majority of users, with less usability than anything else I saw in a long time. This is what the email says: ... This illustrates that playing with two-factor authentication can make the system less secure than just username/password, while considerably reducing usability. A lose-lose for users. I'd like to hear why you think the scheme isn't that usable. I disagree with you about its security. The question is what the threat model is. We all know that email can be intercepted over the wire. We also know that that's not very common or very easy, except for wireless hotspots. I assert that *most* email does not flow over such links, and that the probability of a successful interception by someone who's staked out a hotspot is quite low. Residential wireless? Sure, there's a lot of it, mostly unencrypted. If you're a bad guy, is there any reason you should be watching for that particular piece of email? You don't even know who the customers of that bank are. (Sure, there can be targeted attacks aimed at a given individual. Unless you're a member of the HP board of directors or a prominent technology journalist, that risk is low, too) Again -- the scheme isn't foolproof, but it's probably *good enough*. What is their threat? There are two obvious answers: phishing and keystroke loggers. It works very well against the first, and tolerably well against the second, at least until the scheme catches on. A phisher has no knowledge of what challenges will appear, so that won't do much. (OTOH, an active attacker -- one who waits for you to connect to the site, then connects to the real bank and echoes the real challenge -- will succeed, but an active attacker will succeed against any scheme that doesn't involve bilateral authentication.) As for keystroke loggers -- the bad guy would have to capture enough table entries that they'd have a reasonable probability of seeing challenges they'd already received. The bad guy's strategy might be to try a lot of logins, until the hit a lucky set, but the bank's obvious defense is to lock people out after too many failed attempts. Yes, that's denial of service, but that's not the bad guy's goal here. In short -- I think that the scheme is well-matched to the threat. The one thing they should have done differently is not put the username in the same email -- you're told to safeguard the matrix, so you don't want to send the two in the same message, where someone who has compromised the file will get both. I agree that a matrix you need to look at is harder to use than, say, a password, but most two-factor schemes are going to be somewhat difficult. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: handling weak keys using random selection and CSPRNGs
Given how rare weak keys are in modern ciphers, I assert that code to cope with them occurring by chance will never be adequately tested, and will be more likely to have security bugs. In short, why bother? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Government crypto?
http://www.theonion.com/content/node/53928 --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: handling weak keys using random selection and CSPRNGs
On Thu, 12 Oct 2006 16:50:13 -0400 (EDT), Leichter, Jerry [EMAIL PROTECTED] wrote: This suggests that, rather than looking for weak keys as such, it might be worth it to do continuous online testing: Compute the entropy of the generated ciphertext, and its correlation with the plaintext, and sound an alarm if what you're getting looks wrong. This might be a worthwhile thing to have, not just for detecting weak keys, but to detect all kinds of software and hardware failures. Since it's outside of the actual encryption datapath, a bug either fails to sound an alarm when it should - leaving you where you were without this new check - or sounds a false alarm, which unless it occurs too often, shouldn't be such a big deal. This is a very interesting suggestion, but I suspect people need to be cautious about false positives. MP3 and JPG files will, I think, have similar entropy statistics to encrypted files; so will many compressed files. For a more substantive, less hand-wavey analysis, see http://www.isoc.org/isoc/conferences/ndss/05/proceedings/papers/storageint.pdf which has actual file system entropy measurements. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
physical-layer traffic analysis
Some folks might be interested in http://villagevoice.com/news/0642,torturetaxi,74732,2.html -- it's not precisely traffic analysis, but there are enough similar techniques that I think it's relevant to this list. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Traffic Analysis References
On Mon, 23 Oct 2006 11:43:17 +0200, George Danezis [EMAIL PROTECTED] wrote: Hi Leandro, I am compiling a review paper on traffic analysis as well as a talk. They can be found here: http://homes.esat.kuleuven.be/~gdanezis/TAIntro.pdf http://homes.esat.kuleuven.be/~gdanezis/talks/TAIntro-prez.pdf These will soon be expanded (by January) since they are going to be presented as a talk to the CCC (Berlin) as well as a book chapter. If anyone with material on the subject can give me more pointers I would be most grateful. Very nice summary. I'd add a few things. First, on a topical note, Hewlett-Packard obtained call records of various people, including members of its own board and reporters for major publications. In other words, there's a private sector threat. Second, in many cases the beauty of traffic analysis is that it can be done after the fact. Phone companies don't keep recordings of all conversations; they do keep billing data. In a legal vein, in some jurisdictions (i.e., the U.S.) traffic analysis warrants are *much* easier to obtain than wiretaps. Philosophically, the distinction is because traffic analysis data (and in particular telephone calling records) is information that was voluntarily given to a third party, the phone company. There is thus no expectation of privacy. Again, this is U.S. law; your jurisdiction's law may vary. Finally, you should cite the Zendian problem, since it's a classic published training exercise. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Cfrg] Applications of target collisions: Pre or post-dating MD5-based RFC 3161 time-stamp tokens
So how close are we getting to first or second preimage attacks? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Are laptop search seizures increasing use of disk crypto?
On Thu, 26 Oct 2006 10:29:52 +0530, Udhay Shankar N [EMAIL PROTECTED] wrote: Like the subject says - I'm curious whether the current regime of inspection and forensic analysis of laptops, primarily in the US, has affected corporate policies regarding disk crypto. Is there anybody studying this? Any resources available online? There was a related story in Tuesday's NY Times (http://travel2.nytimes.com/2006/10/24/business/24road.html for subscribers -- and get there before Tuesday, so you don't have to pay), on At U.S. Borders, Laptops Have No Right to Privacy. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Can you keep a secret? This encrypted drive can...
On Thu, 02 Nov 2006 10:42:29 -0500, Ivan Krsti? [EMAIL PROTECTED] wrote: Adam Shostack wrote: Just a nit: as I understand things, Bitlocker is available, but not on, by default. Someone needs to actively flip a switch to make it go. Ah, okay. The notes I jotted down from MacIver's talk at HITB in Malaysia indicate he said it was on by default in the upper versions, but I could well have written it down incorrectly. Thanks for the correction. My understanding is that that was the plan, but concern about lost passwords made them change their minds. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Cypherpunks make the OED :-)
On Sun, 05 Nov 2006 02:10:28 -0800, Bill Stewart [EMAIL PROTECTED] wrote: James Gleick's NYT article on the OED mentions cypherpunk among the words recently added to the dictionary. http://www.nytimes.com/2006/11/05/magazine/05cyber.html?pagewanted=all The page requires registration to access, though there are enough popular pseudonyms that have done so; I don't know if any of the cypherpunks/somepassword combinations still work; I've been using one of the no-response email systems for my login. http://www.oed.com/help/updates/latest-additions.html I don't have a subscription to the online dictionary to see what they said about it. University libraries are useful... Cypherpunk, n. Computing slang. A person who uses encryption when sending emails in order to ensure privacy, esp. from government authorities. 1992 Mondo 2000 No. 8. 37/4 I've heard that cypherpunks are already distributing their encrypted email software, which is quick and slick. 1995 Wired Jan. 149/1 Parekh, a young, anarchistic cypherpunk, is dedicated to privacy through strong cryptography. 2005 P. KEEFE Chatter vii. 169 Their articles were translated from Danish into English and French and replicated again and again on the Web, posted on Cryptome and debated by Cypherpunks, forwarded around by e-mail. They are open to comments and criticisms... One caveat: for citations, they want *only* written works for the citation section. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Citibank e-mail looks phishy
On Tue, 14 Nov 2006 18:21:38 -0500 (EST), Leichter, Jerry [EMAIL PROTECTED] wrote: One of Henry Petroski's early books is To Engineer Is Human: The Role of Failure in Successful Design. Petroski argues that we only learn from failure. Success tells us how to build exactly the same thing the next time. Failure is the inevitable result of pushing out beyond what you already know. (Wonderful book, highly recommended.) It's a curiosity of the financial industries that they repeatedly forget what they've learned! Architects design buildings that stay up. Engineers build bridges that don't fail when the wind blows. Doctors abandon treatments that kill patients and don't go back to them. In most fields, failures are translated in to best practices that are used to produce codes and rules and educational methods and such that avoid repeating those failures - and remain in force pretty much forever (sometimes beyond their useful lifetime, but that's a different problem). I wish that were true of our field... In particular, the principles of uniformity, evolvability, portability and convenience are most flagrantly avoided. There seem to be many reasons for the avoidance of the principles. The following all appear to be at least partially relevant. 1. We don't write. The principles are badly formulated; papers containing them are badly written, badly motivated or inconclusive, or else never written at all. Many such papers tell how a system should be or is going to be developed; few papers analyze carefully and conclusively the results of a system development. 2. We don't read. Very few system developers are familiar with work done outside of their own project. 3. We profit neither from our mistakes nor from our successes. After a success, we tend to go out and make a new collection of mistakes (such as trying to build a grand design after a small system). ... 5. We tend to repeat the mistakes of others. From The Role of Motherhood in the Pop Art of System Programing, Peter Neumann, 1969. One of my favorite papers is Epstein, McHugh, and Pascale's Evolution of a Trusted B3 Window System Prototype, because it describes an approach that didn't work. Such papers are all too rare. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: cellphones as room bugs
On Sun, 3 Dec 2006 20:26:07 -0500 Thor Lancelot Simon [EMAIL PROTECTED] wrote: On Sat, Dec 02, 2006 at 05:15:02PM -0500, John Ioannidis wrote: On Sat, Dec 02, 2006 at 10:21:57AM -0500, Perry E. Metzger wrote: Quoting: The FBI appears to have begun using a novel form of electronic surveillance in criminal investigations: remotely activating a mobile phone's microphone and using it to eavesdrop on nearby conversations. Not very novel; ISDN phones, all sorts of digital-PBX phones, and now VoIP phones, have this feature (in the sense that, since there is no physical on-hook switch (except for the phones in Sandia and other such places), it's the PBX that controls whether the mike goes on or not). It's been a while since I built ISDN equipment but I do not think this is correct: can you show me how, exactly, one uses Q.931 to instruct the other endpoint to go off-hook? I don't recall if it's Q.931 per se, as much as the CO. Or rather, I know for certain that various government security agencies were quite unhappy about ISDN phones with speakerphone capability being deployed in sensitive sites. The speaker button was not, as I understood it, a hard button; it was a soft button that the switch responded to. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
gang uses crypto to hide identity theft databases
http://www.zdnet.co.uk/misc/print/0%2C100169%2C39285188-39001093c%2C00.htm --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: (Short) Intro and question
On Sat, 06 Jan 2007 13:13:32 -0800 Allen [EMAIL PROTECTED] wrote: Hi everyone, I'm Allen Schaaf and I'm primarily an information security analyst - I try to look at things like a total stranger and ask all the dumb questions hoping to stumble on one or two that hadn't been asked before that will reveal a potential risk. I'm currently consulting at a very large HMO and finding that there are lots of questions that have not been asked so I'm having fun. One of the questions that I have been raising is trust and how to ensure that that it is not misplaced or eroded over time. Which leads me to my question for the list: I can see easily how to do split key for 2 out of x for key recovery, but I can't seem to find a reference to the 3 out of x problem. In case I have not been clear enough, it is commonly known that it is harder to get collusion when three people need to act together than when there are just two. For most encryption 2 out x is just fine, but some things need a higher level of security than 2 out of x can provide. There's a vast literature on the subject. The classic paper is How to Share a Secret, by Shamir, Comm. ACM 22:11, Nov 1979. Gus Simmons published a survey of the field about 10 years ago, but I don't have the citation handy. I've always been fond of Cryptographic sealing for information secrecy and authentication, David Gifford, Comm. ACM 25:4, April 1982, but remarkably few people seem to have heard of it -- even Simmons was surprised when I mentioned it to him. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Cryptocollectors] STU III 2500
On Thu, 11 Jan 2007 06:30:08 -0500 Richard Brisson [EMAIL PROTECTED] wrote: Good morning all, Available to those in the U.S., STU-III 2500 with manual and AC adapter (and perhaps even a key in the plastic bag but it's not stated nor obvious) on eBay: 330073910569 It appears to be a Type 2 encryptor (sensitive-but-unclassified traffic), according to http://packetstormsecurity.org/apoc2k/cue/comsec --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?
On Mon, 15 Jan 2007 08:39:18 -0800 Saqib Ali [EMAIL PROTECTED] wrote: An article on how to use freely available Full Disk Encryption (FDE) products to protect the secrecy of the data on your laptops. FDE solutions helps to prevent data leaks in case the laptop is stolen or goes missing. The article includes a brief intro, benefits, drawbacks, some tips, and a complete list of FDE solutions in the market. http://www.full-disk-encryption.net/intro.php I'll turn it around -- why should you use it? In most situations, disk encryption is useless and probably harmful. It's useless because you're still relying on the OS to prevent access to the cleartext through the file system, and if the OS can do that it can do that with an unencrypted disk. It's harmful because you can lose a key. (Your web page does address that, but I'm perplexed -- what is challenge/response authentication for key recovery?) Disk encryption, in general, is useful when the enemy has physical access to the disk. Laptops -- the case you describe on your page -- do fit that category; I have no quarrel with disk encryption for them. It's more dubious for desktops and *much* more dubious for servers. (Caveat: I'm assuming that when you dispose of systems, you run DBAN or some such on the drives -- if not, we're back to the physical access threat.) --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?
On Tue, 16 Jan 2007 07:56:22 -0800 Steve Schear [EMAIL PROTECTED] wrote: At 06:32 AM 1/16/2007, Steven M. Bellovin wrote: Disk encryption, in general, is useful when the enemy has physical access to the disk. Laptops -- the case you describe on your page -- do fit that category; I have no quarrel with disk encryption for them. It's more dubious for desktops and *much* more dubious for servers. As governments widen their definitions of just who is a potential threat it makes increasing sense for citizens engaged in previous innocuous activities (especially political and financial privacy) to protect their data from being useful if seized. This goes double for those operating privacy-oriented services and their servers. As an example, when TOR servers were recently seized in German raids (with the implication that they were being used as conduits for child porn) the police knew enough to only take the hot-swap drives (which were encrypted and therefore paper weights after removal) if only for show. The main loss to the operators was repair to the cage locks. Legal access is a special case -- what is the law (and practice) in any given country on forced access to keys? If memory serves, Mike Godwin -- a lawyer who strongly supports crypto, etc. -- has opined that under US law, a subpoena for keys would probably be upheld by the courts. I believe that British law explicitly mandates key disclosure. And of course, there's always rubber hose cryptanalysis in jurisdictions where that's acceptable. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: It's a Presidential Mandate, Feds use it. How come you are not using FDE?
On Tue, 16 Jan 2007 08:19:41 -0800 Saqib Ali [EMAIL PROTECTED] wrote: Dr. Bellovin, In most situations, disk encryption is useless and probably harmful. It's useless because you're still relying on the OS to prevent access to the cleartext through the file system, and if the OS can do that it can do that with an unencrypted disk. I am not sure I understand this. With FDE, the HDD is unlocked by a pre-boot kernel (linux). It is not the function of the resident OS to unlock the drive. Not necessarily -- many of my systems have multiple disk drives and file systems, some of which are on removable media. Apart from that, though, this is reinforcing my point -- what is the threat model? It's harmful because you can lose a key. (Your web page does address that, but I'm perplexed -- what is challenge/response authentication for key recovery?) Challenge/Response password recovery, as I understand, is a very simplified implementation of Secret Sharing. It allows for 2 parties, in this case the IT HelpDesk and the User, to collaborate and recover a Secret. 1) Upon forgetting the password, the user calls the Help Desk. 2) The IT Help Desk authenticates the user in the usual ways (e.g. check office voice mail etc), as the policy dictates. 3) Once authenticated the user give the partial secret to the HelpDesk. 4) The HelpDesk then combine it with the secret they have to produce a temporary password. 5) The temporary password is then used to unlock the HDD once, and new credentials are created. I wouldn't call that challenge/response, I'd call that key escrow. Key escrow isn't a bad idea for storage encryption, but you need *really* good authentication mechanisms for the backup channel. Visualize this phone call to the help desk: Hi, I'm Pat, the CFO. I'm in New York for the Board meeting, and my laptop blue-screened and won't reboot -- it's not accepting my passphrase. Help! Of course, more or less by definition, Pat isn't online at that point, so the help desk can't manipulate anything remotely. (I should add that most secondary authentication mechanisms I've seen are garbage, especially when it comes to people on the road. Since we're talking about laptops here, that's a very serious threat.) I don't dispute the need for FDE for (many) laptops. But remember that security is a systems property; it's not something you can get by bolting on crypto. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Private Key Generation from Passwords/phrases
On Sat, 20 Jan 2007 18:41:34 -0600 Travis H. [EMAIL PROTECTED] wrote: BTW, dictionary attacks can probably be effectively resisted by making the hashes of passwords twice as big, and using a random value concatenated with the password before hashing, and storing it alongside the hash (it's like crypt(3) salting, but more so). If the password is important to keep from disclosure beyond the needs of this security system, one could even truncate the output of the hash to half its size, so that there's multiple preimages; since you doubled the hash size to begin with, you end up with the same security factor against guessing, I believe. Could you explain this? It's late, but this makes no sense at all to me. Dictionary attacks work by guessing -- if the random salt is visible to the attacker, I don't know what more so might mean. Similarly, the size of the output is irrelevant; we're not talking about cryptanalysis here. As best I can tell, increasing the output size and/or the salt size increases the size of a precomputed dictionary, but that's not the only form of dictionary attack -- see M. Bishop, ?An Application of a Fast Data Encryption Standard Implementation,? Computing Systems 1(3) pp. 221?254 (Summer 1988), for example. One sometimes sees claims that increasing the salt size is important. That's very far from clear to me. A collision in the salt between two entries in the password file lets you try each guess against two users' entries. Since calculating the guess is the hard part, that's a savings for the attacker. With 4K possible salts, you'd need a very large password file to have more than a very few collisions, though. It's only a benefit if the password file (or collection of password files) is very large. There is also some benefit if the attacker is precomputing dictionaries, but there the size of the search space is large enough that the salt factor isn't that important given even minimal quality checks. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Fw: NIST announces Draft Requirements and Evaluation Criteria for New Hash Algorithms
Begin forwarded message: Date: Tue, 23 Jan 2007 12:03:45 -0500 From: Shu-jen Chang [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: NIST announces Draft Requirements and Evaluation Criteria for New Hash Algorithms NIST Wants Comments on Proposed Hash Algorithm Requirements and Evaluation Criteria The National Institute of Standards and Technology is planning a competition to develop one or more cryptographic hash algorithms to augment and revise the current Secure Hash Standard (Federal Information Processing Standard 180-2). As a first step in this process, NIST is publishing draft minimum acceptability requirements, submission requirements, and evaluation criteria for candidate algorithms ( See the Federal Register Announcement on http://www.nist.gov/hash-function ), and requests public comment by April 27, 2007. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Forwarded: Request for Comments on primality testing
From: Elaine Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Request for Comments on primality testing Date: Tue, 23 Jan 2007 16:18:59 -0500 X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 NIST received many comments when Draft FIPS 186-3 was posted for public comment during the spring of 2006 (see Note above). Several comments concerned the number of tests required for primality testing. In response, NIST surveyed the latest literature available on this topic and is providing alternatives for your consideration (see http://csrc.nist.gov/CryptoToolkit/tkdigsigs.html). Please provide comments to [EMAIL PROTECTED] by February 23rd, 2007, inserting _Comments on FIPS 186-3 Primality Testing_ in the subject line. NIST is particularly interested in comments relating to the security of the new proposal versus the values currently used in Draft FIPS 186-3. Elaine Barker National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899-8930 301-975-2911 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Private Key Generation from Passwords/phrases
On Mon, 22 Jan 2007 16:57:34 -0800 Abe Singer [EMAIL PROTECTED] wrote: On Sun, Jan 21, 2007 at 12:13:09AM -0500, Steven M. Bellovin wrote: One sometimes sees claims that increasing the salt size is important. That's very far from clear to me. A collision in the salt between two entries in the password file lets you try each guess against two users' entries. Since calculating the guess is the hard part, that's a savings for the attacker. With 4K possible salts, you'd need a very large password file to have more than a very few collisions, though. It's only a benefit if the password file (or collection of password files) is very large. Definition of very large can vary. (alliteraiton intended). Our userbase is about 6,000 active users, and over the past 20 years we've allocated at least 12,000 accounts. So we definitely have collisions in 4k salt space. I'm not speaking to collisions in passwords, just salts. UCSD has maybe 60,000 active users. I think very large is very common in the University environment. Is that all in one /etc/passwd file (or the NIS equivalent)? Or is it a Kerberos KDC? I note that a salt buys the defense much less in a Kerberos environment, where capture of the KDC database lets an attacker roam freely, and the salt simply protects other sites where users may have used the same password. Beyond that, 60K doesn't make that much of a difference even with a traditional /etc/passwd file -- it's only an average factor of 15 reduction in the attacker's workload. While that's not trivial, it's also less than, say, a one-character increase in average password length. That said, the NetBSD HMAC-SHA1 password hash, where I had some input into the design, uses a 32-bit salt, because it's free. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Intuitive cryptography that's also practical and secure.
On Tue, 30 Jan 2007 16:10:47 -0500 (EST) Leichter, Jerry [EMAIL PROTECTED] wrote: | | ...There's an obvious cryptographic solution, of course: publish the | hash of any such documents. Practically speaking, it's useless. | Apart from having to explain hash functions to lawyers, judges, | members of Congress, editorial page writers, bloggers, and talk | show hosts,... This is a common misconception. The legal system does not rely on lawyers, judges, members of Congress, and so on understanding how technology or science works. It doesn't rely on them coming to accept the trustworthiness of the technology on any basis a technologist would consider reasonable. All it requires is that they accept the authority of experts in the subject area, and that those experts agree strongly enough that the mechanism is sound. I don't dispute your analysis. However, this case is not just a legal one, it's a political issue, which is why I spoke of editorial page writers, bloggers, and talk show hosts. All it will take is for enough technically-skilled conspiracy theorists to raise the issue of hash function collisions and NSA, and we won't hear the end of it for decades to come. (Did you know that President Kennedy was actually killed by a large prime factor discovered by the CIA...?) --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Entropy of other languages
On Sun, 04 Feb 2007 15:46:41 -0800 Allen [EMAIL PROTECTED] wrote: Hi gang, An idle question. English has a relatively low entropy as a language. Don't recall the exact figure, but if you look at words that start with q it is very low indeed. What about other languages? Does anyone know the relative entropy of other alphabetic languages? What about the entropy of ideographic languages? Pictographic? Hieroglyphic? It should be pretty easy to do at least some experiments today -- there's a lot of online text in many different languages. Have a look at http://www.gutenberg.org/catalog/ for freely-available books that one could mine for statistics. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: One Laptop per Child security
On Wed, 7 Feb 2007 15:04:40 -0800 Saqib Ali [EMAIL PROTECTED] wrote: And here is the wired coverage of the BitFrost platform: http://www.wired.com/news/technology/0,72669-0.html?tw=wn_culture_1 From the article: But it should come as no surprise -- given how thoroughly the project has rewritten the conventions of what a laptop should be -- that the OLPC's security isn't built on firewalls and anti-virus software. Instead, the XO will premiere a security system that takes a radical approach to computer protection. For starters, it does away with the ubiquitous security prompts so familiar to users of Windows and anti-virus software, said Ivan Krstic, a young security guru on break from Harvard, who's in charge of security for the XO. How can you expect a 6-year old to make a sensible decision when 40-year olds can't? Krstic asked, in a session at the 2007 RSA Conference. Those boxes simply train users to check yes, he argued. Krstic's system, known as the BitFrost platformRead more at: http://www.wired.com/news/technology/0,72669-0.html?tw=wn_culture_1 We're digressing to general security topics here, but I'll take a chance that our moderator will allow this through -- I do mention crypto... That firewalls should be omitted is no surprise. A firewall is a device for centralized policy enforcement; it's useful when policy to the outside -- whatever that is -- is different than policy for the inside. If you don't have a well-defined inside and outside, they're not very useful. However, their primary benefit comes from keeping the bad guys away from buggy code. That problem, I predict, will afflict this project as well -- just because a service uses cryptographic authentication doesn't make it immune to bugs, including bugs before the crypto authentication has succeeded. Even if the crypto authentication succeeds, all it means is that some process on the other machine has access to the credentials; it says nothing about whether or not the human in front of that machine wants to connect. The AV decision is more problematic. While a good security model can prevent system files from being overwritten, most worms use purely user-level abilities. It would take a fairly radical OS design to prevent a user-level worm from spreading. (Thought experiment: explain what OS facilities would have prevented the 1988 Internet worm from succeeding. My conclusion, way back when, that nothing in, say, the Orange Book would have stopped it was a major step in my evolution as a security researcher. It can be done, I suspect, but only by very stringent restrictions on application privileges. Have you designed such restrictions? Now assume it's a dual-mode worm, that attacks web servers and web browsers.) --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: One Laptop per Child security
On Thu, 08 Feb 2007 13:03:27 -0800 Ivan Krsti? [EMAIL PROTECTED] wrote: Hi Paul, Paul J. Morris wrote: If a worm can propagate to every OLPC laptop it must have network access in some form, this means it could use the entire set of OLPC laptops to perform a distributed denial of service attack on a target. Sort of. The worm would still be subject to connection rate and bandwidth throttling, so the laptops are not _that_ useful as a DDoS launchpad. But it's all a big hypothetical scenario, because finding invariants to infect across all OLPC systems is likely to prove extremely difficult; only applications that the user sometimes runs generally listen on a port and act as a server. There aren't going to be unprotected, constantly-running servers to exploit. What about unprotected, frequently-running web browsers? --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Failure of PKI in messaging
On Mon, 12 Feb 2007 17:03:32 -0500 Matt Blaze [EMAIL PROTECTED] wrote: I'm all for email encryption and signatures, but I don't see how this would help against today's phishing attacks very much, at least not without a much better trust management interface on email clients (of a kind much better than currently exists in web browsers). Otherwise the phishers could just sign their email messages with valid, certified email keys (that don't belong to the bank) the same way their decoy web traffic is sometimes signed with valid, certified SSL keys (that don't belong to the bank). And even if this problem were solved, most customers still wouldn't know not to trust unsigned messages purporting to be from their bank. Precisely. The real problem is the human interface, where we're asking people to suddenly notice the absence of something they're not used to seeing in the first place. Yes, there have been studies. They've all been quite disappointing. I'm working on some related material right now, with the financial sector. It's not an easy problem. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Fw: Revisions to NIST Special Publications
Begin forwarded message: From: Elaine Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Revisions to NIST Special Publications Date: Mon, 12 Mar 2007 14:50:10 -0400 X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Revisions have been made to the following NIST Special Publications, which are available at http://csrc.nist.gov/publications/nistpubs/index.html: 1. SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. This revised document is also available at http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html. The revision to this document is identified in Appendix E. It allows the dual use of keys during certificate requests only. 2. SP 800-57, Part 1, Recommendation for Key Management. This revised document is also available at http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html. The revisions to this document are listed in Appendix D. The latest revisions allow the dual use of keys during certificate requests only. 3. SP 800-90, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. This revised document is also available at http://csrc.nist.gov/CryptoToolkit/tkrng.html. The revisions to this document are listed in Appendix I. These revisions include the insertion of a step in the Dual_EC_DRBG specification that was inadvertently omitted that is needed for the DRBG to provide backtracking resistance. Elaine Barker National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899-8930 301-975-2911 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: More info in my AES128-CBC question
On Thu, 19 Apr 2007 22:32:58 -0700 Aram Perez [EMAIL PROTECTED] wrote: Hi Folks, First, thanks for all your answers. The proposal for using AES128-CBC with a fixed IV of all zeros is for a protocol between two entities that will be exchanging messages. This is being done in a standards body (OMA) and many of the attendees have very little security experience. As I mentioned, the response to my question of why would we standardize this was that's how SD cards do it. I'll look at the references and hopefully convince enough people that it's a bad idea. Let me make a stronger statement. If the standards group has very little security experience, they *will* get many things wrong. They desperately need to get several clueful individuals involved and *listen* to them. The WEP group made that mistake. I use WEP in my classes as a case study in how to do crypto wrong. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
phone encryption technology becoming popular in Italy
According to an NY Times article (http://news.com.com/Phone+taps+in+Italy+spur+rush+toward+encryption/2100-1029_3-6180118.html?tag=nefd.top), phone encryption technology is becoming popular in Italy because of many recent incidents of conversations being published. Sometimes, a wiretap is being leaked; other times, it seems to be private behavior: What has spurred encryption sales is not so much the legal wiretapping authorized by Italian magistrates--though information about those calls is also frequently leaked to the press--but the widespread availability of wiretapping technology over the Internet, which has created a growing pool of amateur eavesdroppers. Those snoops have a ready market in the Italian media for filched celebrity conversations. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Forwarded: Public comments on the hash algorithm requirements and evaluation criteria posted online
From: Shu-jen Chang [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Public comments on the hash algorithm requirements and evaluation criteria posted online Date: Tue, 08 May 2007 12:13:58 -0400 X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 FYI Public comments on the hash algorithm requirements and evaluation criteria (see Federal Register Notice Vol. 72, No. 14, January 23, 2007) are now available for review at http://www.csrc.nist.gov/pki/HashWorkshop/Public_Comments/2007_May.html . For other information related to NIST's hash algorithm competition, please visit http://www.nist.gov/hash-function . Regards, Shu-jen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: More info in my AES128-CBC question
On Wed, 9 May 2007 15:35:44 -0400 Thor Lancelot Simon [EMAIL PROTECTED] wrote: On Wed, May 09, 2007 at 01:13:36AM -0500, Travis H. wrote: On Fri, Apr 27, 2007 at 05:13:44PM -0400, Leichter, Jerry wrote: Frankly, for SSH this isn't a very plausible attack, since it's not clear how you could force chosen plaintext into an SSH session between messages. A later paper suggested that SSL is more vulnerable: A browser plugin can insert data into an SSL protected session, so might be able to cause information to leak. Hmm, what about IPSec? Aren't most of the cipher suites used there CBC mode? ESP does not chain blocks across packets. One could produce an ESP implementation that did so, but there is really no good reason for that, and as has been widely discussed, an implementation SHOULD use a PRNG to generate the IV for each packet. Mostly right. RFC 2405 stated: Implementation note: Common practice is to use random data for the first IV and the last 8 octets of encrypted data from an encryption process as the IV for the next encryption process; this logically extends the CBC across the packets. not as a requirement but as a hint. On the other hand, RFC 3602 says The IV MUST be chosen at random, and MUST be unpredictable. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
wiretaps and encryption
Those who remember the Crypto Wars of the 1990s will recall all of the claims about we won't be able to wiretap because of encryption. In that regard, this portion of the latest DoJ wiretap report is interesting: Public Law 106-197 amended 18 U.S.C. 2519(2)(b) to require that reporting should reflect the number of wiretap applications granted for which encryption was encountered and whether such encryption prevented law enforcement officials from obtaining the plain text of communications intercepted pursuant to the court orders. In 2006, no instances were reported of encryption encountered during any federal or state wiretap. The situation may be different for national security wiretaps, but of course that's where compliance with any US anti-crypto laws are least likely. There was no mention of national security or terrorism-related wiretaps in the report, possibly because they've all been done with FISA warrants. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Blackberries insecure?
According to the AP (which is quoting Le Monde), French government defense experts have advised officials in France's corridors of power to stop using BlackBerry, reportedly to avoid snooping by U.S. intelligence agencies. That's a bit puzzling. My understanding is that email is encrypted from the organization's (Exchange?) server to the receiving Blackberry, and that it's not in the clear while in transit or on RIM's servers. In fact, I found this text on Blackberry's site: Private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry device user. Each secret key is stored only in the user's secure regenerated by the user wirelessly. Data sent to the BlackBerry device is encrypted by the BlackBerry Enterprise Server using the private key retrieved from the user's mailbox. The encrypted information travels securely across the network to the device where it is decrypted with the key stored there. Data remains encrypted in transit and is never decrypted outside of the corporate firewall. Of course, we all know there are ways that keys can be leaked. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Herbert Yardley trivia
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemviewitem=item=180133437659#6376261103687981571 --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why self describing data formats:
On Fri, 01 Jun 2007 20:59:55 +1000 James A. Donald [EMAIL PROTECTED] wrote: Many protocols use some form of self describing data format, for example ASN.1, XML, S expressions, and bencoding. Why? Presumably both ends of the conversation have negotiated what protocol version they are using (and if they have not, you have big problems) and when they receive data, they need to get the data they expect. If they are looking for list of integer pairs, and they get a integer string pairs, then having them correctly identified as strings is not going to help much. The most important reason is application flexibility -- very often, complex data structures are being passed around, and having some format like those makes life easier. There is some security benefit, though -- see Section 7 of Abadi and Needham's Prudent Engineering Practice for Cryptographic Protocols (1995). (Yes, they're calling for a lot less than full-blown ASN.1.) --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
anti-RF window film
http://www.sciam.com/article.cfm?articleid=6670BF9B-E7F2-99DF-3EAC1C6DC382972F A company is selling a window film that blocks most RF signals. The obvious application is TEMPEST-shielding. I'm skeptical that it will be very popular -- most sites won't want to give up Blackberry and cell phones... --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum Cryptography
I'm unhappy with the tone of the discussion thus far. It's gone far beyond critiquing current products and is instead attacking the very concept. Today's cryptography is largely based on certain assumptions. You can't even call them axioms; they're far too weak. Let's consider RSA. We *know* that no one has proven it equivalent to factoring; even if that had been done, there is as far as I know no theoretically and useful computational complexity bound for factoring, especially for the average case. Similarly, we have no proofs that discrete log is inherently hard. But cryptographic proofs frequently work by showing that breaking some new construct is equivalent to solving one of these believed to be hard problems. We have a theoretically unbreakable system -- one-time pads -- but as most of us on this list know, they're rarely usable. Protocols are even worse. We can prove certain things about the message exchanges, and we have tools to help analyze protocols. But I have yet to see any such mechanism that can cope with attacks that mix protocol weaknesses with, say, number theory -- think of Bleichenbacher's Million Message Attack (which also involved how the protocol worked over the wire) or Simmons' Common Modulus Attack. It's not wrong to want something better. Sure, we think our ciphers are secure. The Germans thought that of Enigma and the Geheimschreiber; the Japanese thought that of Purple. Is AES secure? NSA has said so publicly, but there have been technical papers challenging that. I've seen no technical commentary on this list on the Warren D. Smith paper that was cited here about a week ago. To me, QKD is indeed a very valid area for research. It's a very different approach; ultimately, it may prove to be useful, at least in some circumstances. Now -- I'm not saying that *anyone* should buy today's products. As has been pointed out ad infinitum, they rely on conventional cryptographic techniques for authentication. More seriously, they have been subject to serious friendly attacks. It's only recently been mentioned prominently that the most devices don't send a single photon per bit, and the proof of security relies on that. There is the limitation, possibly inherent, to a single link. (I wonder, though, what can be done in the future with switched optical networks.) All that said, perhaps QKD will be useful some day. Unauthenticated? Diffie-Hellman is unauthenticated. Expensive? RSA is computationally expensive, and in fact wasn't used very much for 10 years after its invention. Single link? We still use -- and need -- link-layer cryptography today. Provable security? Despite their limitations, one-time pads are and have been used in the real world. Sometimes, the operational and threat environments are right. Gilmore has noted that cryptography is a matter of economics -- and in some situations, perhaps the economics of QKD are right. It's very valid to criticize today's products, and it's almost obligatory to criticize over-hyped marketing. As I said, I don't think today's products are useful anywhere, and the comparisons vendors draw to conventional cryptography are at best misleading. But let's not throw the baby out with the bathwater. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
On Mon, 9 Jul 2007 17:52:38 +1000 Ian Farquhar \(ifarquha\) [EMAIL PROTECTED] wrote: And don't forget, some of the biggest markets are still crypto-phobic. Every time I enter China I have to tick a box on the entry form indicating that I am not carrying any communications security equipment. That's interesting -- the news just came out about Blackberry entering the Chinese market... See http://www.technewsworld.com/story/58167.html which (briefly) discusses such issues. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
On Tue, 17 Jul 2007 13:11:41 -0400 (EDT) Leichter, Jerry [EMAIL PROTECTED] wrote: I'd guess that the next step will be in the business community. All it will take is one case where a deal is visibly lost because of proven eavesdropping (proven in quotes because it's unlikely that there will really be any proof - just a *perception* of a smoking gun - and in fact it could well be that the trigger case will really be someone covering his ass over a loss for entirely different reasons) and all of a sudden there will be a demand for strong crypto on every Blackberry phone link. Things have a way of spreading from there: If the CEO's need this, then maybe I need it, too. If it is expensive or inconvenient, I may feel the need, but I won't act on it. But the CEO's will ensure that it isn't inconvenient - they won't put up with anything that isn't invisible to them - and technology will quickly drive down the cost. You're an optimist. There was the Israeli case of the tailored virus. I haven't noticed any rush to get rid of insecure operating systems, mailers, and word processors. Or have a look at http://fe24.news.re3.yahoo.com/s/nm/20070717/tc_nm/internet_attack_dc and ask if that will do it. (Department of Transportation? Department of Defenses, more likely, from that list of businesses...) Today's Wall Street Journal reported on new threats from ads on the Internet, and loudly worried why ad companies and web sites weren't doing more to filter their offerings. But an ad is just web content, which means that the real problem is the web browser and host OS. Will that prompt a switch? We're talking about phone calls -- did all of the well-publicized cellular eavesdropping (Prince Charles, Newt Gingrich (then a major US politician), and more) prompt a change? Well, there are now US laws against that sort of phone eavesdropping gear -- a big help Want another example? How many US corporations have major operations in China? What are the odds that the Chinese government is listening in? If you're uncertain, see (a) the posting on this list a few days ago about the landing declaration about communications security devices and yesterday's news story about email problems to China because of apparent problems with the Great Firewall (http://www.cnn.com/2007/TECH/07/18/china.email.reut/index.html). None of his seems to have affected business there. (Nor are corporations unaware of this; I was advising people on this close to 20 years ago.) I agree that it will take a trigger. I don't know what that trigger will be, but it won't be something as simple as a proven case. It's hard to predict what will get enough people upset; sometimes, it's nothing at all. (Remember the Pentium serial number case? Objectively, that was a complete non-issue, but enough people got upset about it that Intel had to back off.) It will also have to be dead simple. It can't happen on the POTS network, because modem handshaking takes too long. It can't happen on conventional cellular unless the voice is traveling over a clear-channel end-to-end data connection, not something that the carrier's equipment knows is voice. (There's also the question of phone CPU access to the voice channel, per Bill Stewart's post.) It could happen for VoIP if done properly, as others have pointed out. It has to be easy to use, which means that things like PKIs are, shall we say, obstacles. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How the Greek cellphone network was tapped.
On Sat, 21 Jul 2007 04:46:51 -0700 (PDT) bear [EMAIL PROTECTED] wrote: On Thu, 19 Jul 2007, Charles Jackson wrote: An earlier post, talking about vulnerabilities and the lack of an appropriate market response, said: We're talking about phone calls -- did all of the well-publicized cellular eavesdropping (Prince Charles, Newt Gingrich (then a major US politician), and more) prompt a change? Well, there are now US laws against that sort of phone eavesdropping gear -- a big help Halfway, I think. ISTR there are laws against manufacture for sale, sale, purchase, or most usage of such gear - but no laws against manufacture without intent to sell, posession, or some exempted types of use of such gear. Basically, owning such devices is not a crime, nor is using them provided the target has been duly notified that their call will be or is being intercepted. So you can build the gear, and you can demo the gear you've built on a call made for purposes of demo-ing the gear. Not as I read the statute (and of course I'm not a lawyer). Have a look at 18 USC 2512 (http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_2512000-.html) any person who intentionally ... manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce; ... So simple possession of a surreptitious interception device is illegal, with exceptions for things like sale to law enforcement or communications companies. Consult a lawyer first, but I believe it may also be legal to monitor calls made in a given location provided you first put up a sign that says all cell calls made on these premises will be monitored etc. But you can't legally buy or sell the equipment to do it. Probably -- that's not surreptitious. I think the most publicized cases of cellular interception, including the two mentioned above, were interceptions of analog calls. Such interception was not too hard to do. In some cases you could pick up one side of such calls on old American TV sets (sets that tuned above channel 69 on the UHF dial). The technical requirement was for a TV with a UHF analog *tuner* as opposed to a digital channel-selection dial. The channels that the cellular network used (still uses? I don't know) were inbetween the channels that were assigned whole numbers in TV tuning. So you could pick up some cell traffic if you tuned, for example, to UHF TV channel 78.44. But not if you tuned to channel 78 or channel 79. The specific law I had in mind when I posted that note was the ban on scanners capable of picking up cellular bands, as well as decoders to convert digital cellular signals to analog. See http://findarticles.com/p/articles/mi_m3457/is_n17_v11/ai_13701996 and http://www.eff.org/Legislation/?f=bills_affect_online.notice.txt There are other provisions in the law that bar interception of encrypted or scrambled signals, but I haven't waded through the verbiage enough to know if they apply here. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Enigma for sale on eBay
On Fri, 20 Jul 2007 14:10:40 -0700 [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] said: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=270146164488 ebay now says (as of when this messge is sent): This Listing Is Unavailable This listing (270146164488) has been removed or is no longer available. Please make sure you entered the right item number. If the listing was removed by eBay, consider it canceled. Note: Listings that have ended more than 90 days ago will no longer appear on eBay. See Bruce Schneier's blog entry (http://www.schneier.com/blog/archives/2007/07/enigma_machine.html) -- it was relisted and sold for $30K. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
NIST documents for public review
From: Elaine Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: NIST documents for public review Date: Mon, 30 Jul 2007 09:52:46 -0400 X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 NIST announces the release of draft Special Publication 800-106, Randomized Hashing Digital Signatures. This Recommendation provides a technique to randomize the input messages to hash functions prior to the generation of digital signatures to strengthen security of the digital signatures. Please submit comments to [EMAIL PROTECTED] with Comments on Draft 800-106 in the subject line. The comment period closes on September 17, 2007. NIST announces the release of draft Special Publication 800-107, Recommendation for Using Approved Hash Algorithms This Recommendation provides guidance on using the Approved hash algorithms in digital signatures applications, Keyed-hash Message Authentication Codes (HMACs), key derivation functions (KDFs) and random number generators. Please submit comments to [EMAIL PROTECTED] with Comments on Draft 800-107 in the subject line. The comment period closes on September 17, 2007. ** NIST announces the release of D raft Federal Information Processing Standard (FIPS) 198-1 Publication, The Keyed-Hash Message Authentication Code (HMAC). The draft FIPS 198-1 is the proposed revision of FIPS 198. The draft specifies a keyed-hash message authentication code, a mechanism for message authentication using cryptographic hash functions and shared secret keys. Comments will be accepted through September 10, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to [EMAIL PROTECTED] with Comments on Draft 198-1 in the subject line. Click here to review the Federal Register Notice for Draft FIPS PUB 198-1. * NIST announces the release of Draft Federal Information Processing Standard (FIPS) 180-3 Publication, Secure Hash Standard (SHS). The draft FIPS 180-3 is the proposed revision of FIPS 180-2. The draft specifies five secure hash algorithms (SHAs) called SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 which are used to condense input messages to fixed-length messages, called message digests. These algorithms produce 160, 256, 384, and 512-bit message digests, respectively. Comments will be accepted through September 10, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to [EMAIL PROTECTED] with Comments on Draft 180-3 in the subject line. Click here to review the Federal Register Notice for Draft FIPS PUB 180-3. Elaine Barker National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899-8930 301-975-2911 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
unintended consequences?
I recently saw a news story about a new kind of fiber optic cable from Corning -- it has a much smaller bending radius. (See http://money.cnn.com/magazines/fortune/fortune_archive/2007/08/06/100141306/index.htm?postversion=2007072303 and http://www.corning.com/media_center/press_releases/2007/2007072301.aspx) The problem is that when fiber is bent too sharply, the light escapes. Of course, that's the rumored way that, umm, agencies tap fiber: they bend it enough that some light escapes, but not too much. That trick won't work nearly as well with the new fiber, which is reportedly 100x more bendable. Does that mean that the new fiber is less tappable? --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
John Young and Cryptome
http://www.radaronline.com/from-the-magazine/2007/08/cryptome_john_young_radar_anthony_haden_guest_1.php --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
a new way to build quantum computers?
http://www.tgdaily.com/content/view/33425/118/ Ann Arbor (MI) - University of Michigan scientists have discovered a breakthrough way to utilize light in cryptography. The new technique can crack even complex codes in a matter of seconds. Scientists believe this technique offers much advancement over current solutions and could serve to foil national and personal security threats if employed I'll let those who know more physics comment in detail; from reading the article, it appears to lead to a way to construct quantum computers. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
more reports of terrorist steganography
http://www.esecurityplanet.com/prevention/article.php/3694711 I'd sure like technical details... --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
interesting paper on the economics of security
http://www.cl.cam.ac.uk/~rja14/Papers/econ_crypto.pdf --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
NSA crypto modernization program
http://www.fcw.com/article103563-08-27-07-Print --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
open source digital cash packages
Are there any open source digital cash packages available? I need one as part of another research project. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: using SRAM state as a source of randomness
On Mon, 17 Sep 2007 11:20:32 -0700 Netsecurity [EMAIL PROTECTED] wrote: Back in the late 60's I was playing with audio and a magazine I subscribed to had a circut for creating warble tones for standing wave and room resonance testing. The relevance of this is that they were using a random noise generating chip that they acknowledged was not random enough for good measurements. The fix suggested was to parallel a number, six as I recall, to improve the randomness by mixing the signals to achieve better randomness. I don't recall the math but the approach improved the randomness by more than an order of magnitude. I have also seen the same effect on reverse biased zener diodes used as random noise generators and that seemed - no real hard measurements that I can recall - to work quite well. Mind you these were not zeners all fabricated on a single chip, but rather individuals soldered together so the charateristics of each were more random because of the semi-randomness of the manufacturing process. This is an old technique. We could even go back to von Neumann's scheme: look at two successive bits. If they're equal, discard them. Otherwise, map 0,1 to 0 and 1,0 to 1. See the section on Software whitening in http://en.wikipedia.org/wiki/Hardware_random_number_generator (which was correct as of when I looked at it, a few minutes before the timestamp on this email; check the Wiki history to be sure). --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OK, shall we savage another security solution?
On Wed, 19 Sep 2007 09:29:53 +0100 Dave Korn [EMAIL PROTECTED] wrote: On 18 September 2007 23:22, Leichter, Jerry wrote: Anyone know anything about the Yoggie Pico (www.yoggie.com)? It claims to do much more than the Ironkey, though the language is a bit less marketing-speak. On the other hand, once I got through the marketing stuff to the technical discussions at Ironkey, I ended up with much more in the way of warm fuzzies than I do with Yoggie. -- Jerry Effectively, it's just an offload processor in fancy dress. It relies on diverting all your network traffic out to the USB and back just before/after the NIC, which it presumably has to do with some sort of filter driver, so it's subject to all the same problems vs. malware as any desktop pfw. Unless your box is so overloaded that the pfw is starved of cpu cycles, I can't see the use of it myself. If done properly -- i.e., with cryptographic protection against new firmware or policy uploads to it -- it's immune to host or user compromise as a way to disable the filter. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Seagate announces hardware FDE for laptop and desktop machines
On Tue, 02 Oct 2007 15:50:27 +0200 Simon Josefsson [EMAIL PROTECTED] wrote: It sounds to me as if they are storing the AES key used for bulk encryption somewhere on the disk, and that it can be unlocked via the password. I'd say decrypted by the password, rather than unlocked, but that's the right way to do it: since it permits easy password changes. It also lets you do things like use different AES keys for different parts of the disk (necessary with 3DES, probably not with AES). So it may be that the bulk data encryption AES key is randomized by the device (using what entropy?) or possibly generated in the factory, rather than derived from the password. There was this paper on using air turbulence-induced disk timing variations for entropy... --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Password hashing
On Thu, 11 Oct 2007 22:19:18 -0700 james hughes [EMAIL PROTECTED] wrote: A proposal for a new password hashing based on SHA-256 or SHA-512 has been proposed by RedHat but to my knowledge has not had any rigorous analysis. The motivation for this is to replace MD-5 based password hashing at banks where MD-5 is on the list of do not use algorithms. I would prefer not to have the discussion MD-5 is good enough for this algorithm since it is not an argument that the customers requesting these changes are going to accept. NetBSD uses iterated HMAC-SHA1, where the password is the key and the salt is the initial plaintext. (This is my design but not my implementation.) --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: refactoring crypto handshakes (SSL in 3 easy steps)
There was a paper by Li Gong at an early CCS -- '93, I think, though it might have been '94 -- on the number of messages different types of authentication protocol took. It would be a good starting point. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]