Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
I took a look at the MIT Guide to Lock Picking August 1991 revision at http://www.lysator.liu.se/mit-guide/mit-guide.html It says: 9.10 Master Keys Many applications require keys that open only a single lock and keys that open a group of locks. The keys that open a single lock are called change keys and the keys that open multiple locks are called master keys. To allow both the change key and the master key to open the same lock, a locksmith adds an extra pin called a spacer to some of the pin columns. See Figure 9.8. The effect of the spacer is to create two gaps in the pin column that could be lined up with the sheer line. Usually the change key aligns the top of the spacer with the sheer line, and the master key aligns the bottom of the spacer with the sheer line (the idea is to prevent people from filing down a change key to get a master key). In either case the plug is free to rotate. The parenthetical comment suggests awareness of the general vulnerability Matt exploited, but I suspect that had the authors known the multiple partial copy trick Matt described, they would have published it. Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
- Original Message - From: bear [EMAIL PROTECTED] [Talking about Microsoft Passport...] But it's even worse than that, because people who ought to know better (and people who *DO* know better, their own ethics and customers' best interests be damned) are even *DEVELOPING* for this system. It just doesn't make any damn sense. It does make some sense. The more people who are developing the system who know better, the more they may influence higher management. I'm sure that you know that in a big company like Microsoft, it's not the developer, architect or cryptographer that decides what is shipped out, but managers who don't care about security but more about $. The more security-conscious people who start working for Microsoft, the better, they will have more power to influence the decisions of higher management. Microsoft has the most widely used software products, it's a good place for someone to try to influence good security practices. If you are a security person or cryptographer, you can either decide to work for some small company which has good security practices and your opinions be highly considered, but their products not widely spread, or for a big company with widely spread products but which has bad security practices, and try to change things (even though your opinions are less considered). In which case does the security person or cryptographer have the most impact on the world of software security? --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
NIST Key Mgmt. Drafts
[Moderator's note: Edited to remove HTML and the huge To: list. --Perry] NIST is requesting comments on three draft key management documents, which are available at http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html. 1. Recommendation for Key Management, Part 1: General Guideline provides general key management guidance for system developers and system administrators. This is a revision of a draft provided in June, 2002. Please submit comments to [EMAIL PROTECTED] by April 3, 2003. 2. Recommendation for Key Management, Part 2: Best Practices for Key Management Organization provides guidance for system and application owners for use in identifying appropriate organizational key management infrastructures, establishing organizational key management policies, and specifying organizational key management practices and plans. This is an initial draft of this part of the Recommendation. Please submit comments to [EMAIL PROTECTED] by May 2, 2003. 3. Recommendation on Key Establishment Schemes provides specifications of key establishment schemes based on standards developed by the American National Standards Institute (ANSI) X9: ANSI X9.42, Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, and ANSI X9.63, Key Agreement and Key Transport Using Elliptic Curve Cryptography. Inclusion of RSA techniques as specified in ANSI X9.44, Key Establishment Using Integer Factorization Cryptography, is planned for the future. This draft is a revision of a draft provided in October, 2001. Please submit comments to [EMAIL PROTECTED] by April 3, 2003. Elaine Barker National Institute of Standards and Technology 100 Bureau Dr., Stop 8930 Gaithersburg, MD 20899-8930 Phone: 301-975-2911 Fax: 301-948-1233 Email: [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
OASIS LegalXML Lawful Intercept XML Technical Committee (LI-XML)
http://xml.coverpages.org/LawfulInterceptTC.html OASIS LegalXML Lawful Intercept XML Technical Committee (LI-XML) OASIS Members to Create Framework for Global Sharing of Criminal and Terrorist Evidence XML Specification Will Deliver Reliable Authentication and Auditing to Safeguard Privacy and Increase Effectiveness of Lawful Intercepts Boston, MA, USA. January 23, 2003. The OASIS standards consortium today announced the formation of a new technical committee to develop a universal global framework for supporting rapid discovery and sharing of suspected criminal and terrorist evidence by law enforcement agencies. The OASIS LegalXML Lawful Intercept XML (LI-XML) Technical Committee was formed to meet critical needs emerging from several national and intergovernmental mandates around the world, including the recently passed United States Homeland Security Information Sharing Act of 2002, the new Lawful Intercept additional protocol of the European Convention on Mutual Assistance in Criminal Matters, and e-Government mandates in Europe and the United States. As the ability for criminals and terrorists to access technology increases, the challenge for law enforcement to detect, comply with legal process, and implement evidence discovery tools also grows, noted Anthony M. Rutkowski of VeriSign, chair of the OASIS LegalXML LI-XML Technical Committee. Government agencies as well as providers of electronic communication services worldwide will benefit from uniform XML schema that facilitates fully electronic receipt, authentication, and implementation of lawful process. Rutkowski added that the enhanced precision, authentication, and audit features provided by LI-XML will result in greater public trust in the traditionally sensitive area of legal discovery. As part of the OASIS LegalXML Member Section, the LI-XML specification will be designed to support an end-to-end legal process where law enforcement, justice, and security agencies are the principal beneficiaries. LI-XML Technical Committee members plan to work closely with related OASIS efforts including the LegalXML Electronic Court Filing and OASIS e-Government Technical Committees. LI-XML is the latest in a growing number of OASIS Technical Committees that address the needs of the public sector, noted Karl Best, vice president of OASIS. We are encouraged to see government agencies and representatives from around the globe joining OASIS to advance this effort, along with our e-Government, Tax XML and other LegalXML initiatives. Participation in the OASIS LegalXML LI-XML Technical Committee remains open to all organizations and individuals. OASIS will host an open mail list for public comment, and completed work will be freely available to the public without licensing or other fees. Information on joining OASIS can be found on http://www.oasis-open.org/join . About OASIS OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, global consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. OASIS produces worldwide standards for security, Web services, XML conformance, business transactions, electronic publishing, topic maps and interoperability within and between marketplaces. Founded in 1993, OASIS has more than 2,000 participants representing over 300 companies as well as individual members in 100 countries around the world. For more information: Carol Geyer Director of Communications OASIS Email: [EMAIL PROTECTED] Voice: +1.978.667.5115 x209 Prepared by Robin Cover for The XML Cover Pages archive. See details in the 2003-01-23 news story: OASIS LegalXML Member Section Forms Lawful Intercept XML Technical Committee. Document URL: http://xml.coverpages.org/LawfulInterceptTC.html -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
QUALCOMM Qsec-800 Secure CDMA phone
--- begin forwarded text Date: Wed, 29 Jan 2003 17:57:00 -0500 To: undisclosed-recipient:; From: Monty Solomon [EMAIL PROTECTED] Subject: QUALCOMM Qsec-800 Secure CDMA phone Status: R QUALCOMM's CDMA Technology Enhances Security Measures at Super Bowl XXXVII - Regional Homeland Security Agencies and Technology Partners Teamed Up To Provide Security Assistance for the Super Bowl - SAN DIEGO, Jan. 29 /PRNewswire-FirstCall/ -- QUALCOMM Incorporated (NASDAQ:QCOM), pioneer and world leader of Code Division Multiple Access (CDMA) digital wireless technology, joined forces with regional homeland security agencies and technology partners to augment existing security measures for Super Bowl XXXVII. QUALCOMM, in partnership with the San Diego Regional Network on Homeland Security (RNHS) and other technology companies, assisted the San Diego Police Department (SDPD) with security preparations for Super Bowl XXXVII by providing technology and products based on CDMA technology. QUALCOMM provided wireless phones capable of carrying government- classified information over commercial cellular networks to federal law enforcement agencies and federal task force entities. These phones, referred to as the Qsec-800(R), are National Security Agency certified cellular phones developed through a U.S. Government contract with QUALCOMM. The phones represent a first step in securing the nation's cellular communications using the extensive CDMA network that is commercially available. In addition to the secure wireless handsets, QUALCOMM had worked out an architecture that allowed the SDPD to access data, such as real time video as supplied by cameras, using digital technology from cVideo, at QUALCOMM Stadium, over commercial CDMA2000 1X networks. QUALCOMM's expertise in security ensured these data capabilities met the high standards set by the United States Department of Justice and local law enforcement. ... http://finance.lycos.com/home/news/story.asp?story=31220472 --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Europe Said to Agree on Microsoft Privacy Issues
http://www.nytimes.com/2003/01/30/business/worldbusiness/30SOFT.html?ei=5062en=fa850440cebec7cfex=1044507600partner=GOOGLEpagewanted=printposition=top The New York Times January 30, 2003 Europe Said to Agree on Microsoft Privacy Issues By THE NEW YORK TIMES y The New York Times BRUSSELS, Jan. 29 - Data-protection officials from the 15 member nations of the European Union will ask Microsoft to make additional changes to Passport, its online customer authentication system, people close to the officials' deliberations on the matter say. The officials concluded a two-day conference here today with an agreement on how to respond to offers by Microsoft to bring Passport into compliance with the union's strict data privacy laws. But they decided not to make it public until later this week to permit time for it to be translated from English into French. A Microsoft spokesman said the company could not comment until the final language of the decision was available. One person who attended the meeting said Microsoft had offered to make substantial changes to Passport. He said that a central problem the officials had identified with Passport was the way it permits Microsoft to share personal details it gathers about consumers with other companies that participate in Microsoft's e-commerce platform. Copyright 2003 The New York Times Company |Permissions |Privacy Policy -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]