Re: QuizID?
Marc Branchaud wrote: Any thoughts on this device? At first glance, it doesn't seem particularly impressive... http://www.quizid.com/ Looks like hardware S/Key, doesn't it? If I could fool the user into entering a quizcode, then it seems like I could get the device and the admin database out of sync and lock the user out of the system. /r$ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
palladium presentation - anyone going?
Would someone at MIT / in Boston area like to go to this and send a report to the list? Might help clear up some of the currently unexplained aspects about Palladium, such as: - why they think it couldn't be used to protect software copyright (as the subject of Lucky's patent) - are there plans to move SCP functions into processor? any relation to Intel Lagrange - isn't it quite weak as someone could send different information to the SCP and processor, thereby being able to forge remote attestation without having to tamper with the SCP; and hence being able to run different TOR, observe trusted agents etc. I notice at the bottom of the talk invite it says | "Palladium" is not designed to provide defenses against | hardware-based attacks that originate from someone in control of the | local machine. but in this case how does it meet the BORA prevention. Is it BORA prevention _presuming_ the local user is not interested to reconfigure his own hardware? Will it really make any significant difference to DRM enforcement rates? Wouldn't the subset of the file sharing community who produce DVD rips still produce Pd DRM rips if the only protection is the assumption that the user won't make simple hardware modifications. Adam Original Message Subject: LCS/CIS Talk, OCT 18, TOMORROW Date: Thu, 17 Oct 2002 12:49:01 -0400 From: Be Blackburn <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Open to the Public Date: Friday, Oct 18, 2002 Time: 10:30 a.m.- 12:00 noon Place:NOTE: NE43-518, 200 Tech Square Title:Palladium Speaker: Brian LaMacchia, Microsoft Corp. Hosts:Ron Rivest and Hal Abelson Abstract: This talk will present a technical overview of the Microsoft "Palladium" Initiative. The "Palladium" code name refers to a set of hardware and software security features currently under development for a future version of the Windows operating system. "Palladium" adds four categories of security services to today's PCs: a. Curtained memory. The ability to wall off and hide pages of main memory so that each "Palladium" application can be assured that it is not modified or observed by any other application or even the operating system. b. Attestation. The ability for a piece of code to digitally sign or otherwise attest to a piece of data and further assure the signature recipient that the data was constructed by an unforgeable, cryptographically identified software stack. c. Sealed storage. The ability to securely store information so that a "Palladium" application or module can mandate that the information be accessible only to itself or to a set of other trusted components that can be identified in a cryptographically secure manner. d. Secure input and output. A secure path from the keyboard and mouse to "Palladium" applications, and a secure path from "Palladium" applications to an identifiable region of the screen. Together, these features provide a parallel execution environment to the "traditional" kernel- and user-mode stacks. The goal of "Palladium" is to help protect software from software; that is, to provide a set of features and services that a software application can use to defend against malicious software also running on the machine (viruses running in the main operating system, keyboard sniffers, frame grabbers, etc). "Palladium" is not designed to provide defenses against hardware-based attacks that originate from someone in control of the local machine. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: QuizID?
On Thursday, Oct 17, 2002, at 19:39 Europe/London, Rich Salz wrote: Marc Branchaud wrote: Any thoughts on this device? At first glance, it doesn't seem particularly impressive... http://www.quizid.com/ Looks like hardware S/Key, doesn't it? If I could fool the user into entering a quizcode, then it seems like I could get the device and the admin database out of sync and lock the user out of the system. [Note: I have an interest, since QuizID use nCipher hardware] Their device has a neat way of synchronizing the sequence number to the server which both avoids the clock drift problems that trouble RSA SecurID and mean that you'd have to get the user to pass you a large number of codes before you got them out of sync with the server. It also helps them avoid some of RSA's later patents which deal with their troublesome clock sync problems. Nicko - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: QuizID?
On Thu, Oct 17, 2002 at 02:39:55PM -0400, Rich Salz wrote: | Marc Branchaud wrote: | >Any thoughts on this device? At first glance, it doesn't seem | >particularly impressive... | > | >http://www.quizid.com/ | | Looks like hardware S/Key, doesn't it? | | If I could fool the user into entering a quizcode, then it seems like I | could get the device and the admin database out of sync and lock the | user out of the system. Aww, Rich, that trick never works! More seriously, most of the vendors will search forwards and back through the expected codes to make the attack less likely to work. (If authentication is centralized, searching backwards may not be a security risk.) I think the most interesting part of this is the unit looks cool, and its spun slightly differently than other tokens have been. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: QuizID?
> Branchaud, Marc writes: > > Any thoughts on this device? At first glance, it doesn't seem > particularly impressive... > > http://www.quizid.com/ > > Lovely idea of two-factor authentication: > >The user then enters their user name (something they know) and the >8-digit Quizid passcode (something they have) into the login screen >of their application. > > BBC NEWS | Technology | Handy future for online security > http://news.bbc.co.uk/1/hi/technology/2334491.stm > > Excerpt from the BBC article: > >Users are issued with a card and a personal code, based on a set of >colour keys on the card. Each time they wish to conduct a secure >transaction, they punch in the colour code and a random number is >generated. > > M. > [Note of vested interests: I work on RSA SecurID, which is a competing product.] Based on the information at the site, and Quizid's statement that their hardware is manufactured by ActivCard, I have to say that this looks an *awful lot* like the ActivCard Keychain Token, repackaged into a bigger form factor. Peter Trei Disclaimer: The above represents only my personal opinion. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
QuizID?
Any thoughts on this device? At first glance, it doesn't seem particularly impressive... http://www.quizid.com/ Lovely idea of two-factor authentication: The user then enters their user name (something they know) and the 8-digit Quizid passcode (something they have) into the login screen of their application. BBC NEWS | Technology | Handy future for online security http://news.bbc.co.uk/1/hi/technology/2334491.stm Excerpt from the BBC article: Users are issued with a card and a personal code, based on a set of colour keys on the card. Each time they wish to conduct a secure transaction, they punch in the colour code and a random number is generated. M. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
