How useful is www.crypto.com/exports/mail.txt?
For the last three years, I've operated a mail alias, [EMAIL PROTECTED], that publicly archives and forwards to the government authorities announcements of the public availability of cryptographic software. The idea was that since current US export regulations require notifying the government any time such software is made available, it might be useful to have a mechanism that lets the rest of us know at the same time. It was started on a whim, at the suggestion of someone on this list, if I recall correctly. The alias forwards messages sent to it to [EMAIL PROTECTED] and [EMAIL PROTECTED] and archives the mail at http://www.crypto.com/exports/mail.txt. According to my server logs, that (large) file gets a few hits an hour. As of today, 128 announcements of crypto software availability have been forwarded through it. Lately, the flow of announcement messages has been dwarfed by the bombardment of spam that you'd expect a relatively long-lived, widely-published email address to receive. The alias gets about 100 spam messages a day (I don't keep track any more, I just delete them from the archive every now and then). By contrast, the last message actually announcing crypto software was sent at the beginning of February. Deleting the spam has gotten to be a real chore, and I have a sense that perhaps the alias may have run its course and outlived any useful purpose it may have once served. There are now other ways to advertise open-source software and other archived mailing lists to which messages to the government can be openly cc'd. I'm considering shutting the [EMAIL PROTECTED] alias down, or perhaps I might leave it up but not maintain the archive web page. Would this be a terrible inconvenience for anyone? Does anyone actually depend on this service at this point? If so, I'll be happy to keep it running, but if not, I think it may be time to pull the plug. -matt m - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Delta CAPPS-2 watch: decrypt boarding passes!
At most airports, they've moved most of the screening to the security checkpoint, where they do the dump search of the people with the on the boarding pass and the lucky random selectees. For flights with people on them, they also have TSA people to screen them at the gate. I've not noticed the specific mechanism they've used to select the additional random selectees. It's possible that it's wrapped in to the program that decides who gets the printed on the boarding pass in the first place. If so, that seems like a weakness, since you would be able to predict whether you'll get the additional scrutiny before you reach the checkpoint. I'm not sure one way or the other about what the actual practice is: has anyone here (who's gone through the airports following the new procedure) been informed at the checkpoint they they've been randomly selected for additional screening but not had the printed on the boarding pass? The main way to tell if you're at one of these airports is that you DON'T have to show your ID when boarding. For checked baggage screening, however, I have seen how they do the randomness: it involves a pre-printed randomness table consulted for each bag. (Some airports do the baggage screening in front of the passenger before it is turned over to the airline.). Every bag gets a basic scan through the sniffer, and bags that test positive or that the randomness table selects are opened and searched by hand. By the way, at these airports, you can no longer get past the checkpoint with just a pre-printed receipt; you need either a boarding pass, a gate pass printed by the airline (like a boarding pass, but for people without a specific flight), or an airport ID. -matt Russ Nelson writes: John Ioannidis writes: (they [TSA] still picked up random people without the search string on their boarding passess). HHH! If this list was to have a subtitle it would be Practical uses of randomness. Surely they're rolling dice, or cutting a well-shuffled deck, or consulting a book of random numbers, or using some other secure source of randomness. Somebody please tell me that they're not just picking people at random. I am reminded of a six-year-old's idea of randomness: eenie, meenie, miney, moe. -- -russ nelson http://russnelson.com | What Problem Are You Trying Crynwr sells support for free software | PGPok | To Solve? is a service mark 521 Pleasant Valley Rd. | +1 315 268 1925 voice | of Crynwr Software. Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Roger Needham Died - from The Register
Sad, sad news. Roger's pioneering contributions to our art speak (volumes) for themselves, and our field is diminished by the loss of his future insights. But I will miss him most for his enormous generosity, his sharp wit, and his personal integrity. -matt Obit: Roger Needham By Guy Kewney, Newswireless.net Posted: 02/03/2003 at 12:13 GMT Sadly, we record the death of Roger Needham, computer pioneer... There isn't much more to say, except that the man who was the reason Microsoft set up its research centre in Cambridge, England, has had to lay down his life's work. Cancer ended a legend. He once told me that it was his idea that Microsoft stopped spending money on patenting its research ideas, and instead, to make the results available to other researchers. I wish I'd known him long enough to have some other stories to pass on myself; he left a long legacy of people who attributed their inspiration to having worked with him. Here's what his CV at Microsoft Research says: Roger M Needham, born 1935, was in computing at Cambridge since 1956. His 1961 PhD thesis was on the application of digital computers to problems of classification and grouping. In 1962 he joined the Computer Laboratory, then called the Mathematical Laboratory, and has been on the faculty since 1963. He took a leading role in Cambridge projects in operating systems, time sharing systems, memory protection, local area networks, and distributed systems over the next twenty years. Roger worked at intervals on a variety of topics in security, (his main research interest while with Microsoft) being particularly known for work with Schroeder on authentication protocols (1978) and with Burrows and Abadi on formalism for reasoning about them (1989). Roger graduated from the University of Cambridge in Mathematics and Philosophy in 1956, and then took the Diploma in Numerical Analysis and Automatic Computing in 1957. He had been in computing at Cambridge ever since. He succeeded Maurice Wilkes as Head of the Computer Laboratory from 1980 to 1995, was promoted Professor in 1981, elected to the Royal Society in 1985 and the Royal Academy of Engineering in 1993. He was appointed Pro-Vice-Chancellor in 1996. I only met him a couple of times, both times when Microsoft was doing corporate hospitality to publicise the work it was doing in the Cambridge research facility. He was as knowledgeable as any rumour could have suggested; and as tolerant of an ignorant journalist as any academic could ever be. And I shall never get to know him, now. Guy Kewney is the editor/publisher of Newswireless.Net --- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Bodo Moeller bodo@openssl.org] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption
SMB writes: I'm struck by the similarity of this attack to Matt Blaze's master key paper. In each case, you're guessing at one position at a time, and using the response of the security system as an oracle. What's crucial in both cases is the one-at-a-time aspect -- that's what makes the attack linear instead of exponential. There's nothing new under the sun; both attacks are more similar than not to the classic Tenex page-alignment character-at-a-time password guessing attack. Speaking of which, does anyone have a good PRIMARY reference to that I've been trying to track one down for the print version of my lock paper, and all I can find is either secondary references (like countless OS textbooks and random computer security papers) or papers that you'd think would have the attack but turn out no to (like the recent Multics retrospective paper). Where did the Tenex attack first appear? -matt - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Columbia crypto box
John, Your snipe at NASA is probably uncalled for. A sentence fragment quoted from a spokesperson at press conference almost certainly does not reflect the professional judgment of the people who designed the system. As someone who is occasionally quoted (and just as often misquoted) in the press, I can imagine it was at least as likely that the question was why was encryption used? as why do you want the box back. To say nothing of the popular (and even technical) confusion between encryption and encoding. I can certainly imagine very good reasons that they'd want to keep the encoding and frequencies used to control the shuttle secret; if nothing else, to prevent denial of service. Do you really, honestly belive that none of the people designing a secure communication system for the shuttle were even remotely acquainted with the basic principles of the subject? Or did you just want to make a snide remark at the expense of people who are obviously now the subject of enormous scrutiny? One would think technologists would be wise enough not to assume too much about some sound byte without knowing its context, but personal experience suggests that a substantial number of us just jump at the chance to interpret everything we read in a 500 word article in the popular press as if it reflects the entire body of thought on some subject. For example, I got about a dozen email messages from people complaining about how I obviously advocate security through obscurity after something I wrote was slightly misquoted (in an otherwise carefully written article) as suggesting that people use keys that are hard to get blanks for. Almost everyone complaining had also read the source for that quote (which added a qualification that this is probably doesn't offer much protection), but that didn't matter. People want to believe what they read in the newspaper, even when they know the facts first hand. -matt As reported by AP: | Among the most important [debris] they were seeking was | a device that allows for the encryption of communication | between the shuttle and NASA controllers. A NASA spokesman | in Houston, John Ira Petty, said Friday that NASA feared | the technology could be used to send bogus signals to the | shuttle. Apparently some folks skipped class the day Kerchhoffs' Principle was covered. One wonders what other shuttle systems were designed with comparable disregard of basic principles. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
final version of lock paper now available
For those who are interested, the final version of my paper on cryptology and locks is available at http://www.crypto.com/papers/mk.pdf (the old version is still online at mk20020915.pdf in the same directory). This is a 4MB file (it contains a bunch of moderate resolution images). -matt - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Keep it secret, stupid!
The tragic part is that there are alternatives. There are several lock designs that turn out to resist this threat, including master rings and bicentric locks. While these designs aren't perfect, they I think it is worth pointing out that, while master ring systems (and master-keyed systems with false steps added) resist the attack Matt describes, they often make the task of picking the lock (on a case by case basis) easier. Actually, master ring systems make it considerably harder to pick a lock. Sometimes a pin will set at the master shear line and sometimes it will set at the change shear line, but unless all pin stacks catch at the same one, the lock won't operate. (This phenomenon is also why it is difficult to pick a SFIC core with conventional torque tools). Adding false cuts does increase picking vulnerability, of course. Personally, I think it's a shame that master ring designs have all but disappeared. They're still listed as an option in the Corbin-Russwin catalog for a few commercial cylinders, and are also used in some prison locks as I understand it. -matt That needs to be considered when designing a physical security plan. One may wish to key locks of particular importance separately from the master ring system if entry by picking is a concern. (There are some master-key systems, like the one made by Corbin, that require pin rotation at the proper time to unlock the secondary sheer line. And, as Matt mentioned, bicentric cylinders avoid this problem completely. Cost may be a major concern with these solutions, though.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Keep it secret, stupid!
Matt Blaze wrote: Once I understood the basics, I quickly discovered, or more accurately re-discovered, a simple and practical rights amplification (or privilege escalation) attack to which most master-keyed locks are vulnerable. http://www.crypto.com/masterkey.html Matt, is there some reason why you didn't bother asking a single locksmith if they knew about this attack already before claiming it was 'new' in your paper? Have you looked into the differences in actual costs of production of the various ways of making locks more secure? Do you have any information on how common various ways of breaking into locks are done in practice? Of course I did. What gave you the idea that I didn't? I'm not arguing that security through obscurity is a good thing, just pointing out that your claims of the importance of your publication are being made mostly in ignorance. -Bram Cohen Markets can remain irrational longer than you can remain solvent -- John Maynard Keynes - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [IP] Master Key Copying Revealed (Matt Blaze of ATT Labs)
Actually even in their Biaxial design the sidebar hole is always on the bottom pin, and so the master shares the angle with the change keys. -matt There is, however, a newer medeco design that uses a drill-hole instead of a groove. With that design you can have the pin twist be different at different pin-heights (by putting the drill-hole at a different twist-angle). I don't think this attack would work quite as easily on this design. -derek - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Patents as a security mechanism
Patents were originally intended, and are usually used (for better or for worse), as a mechanism for protecting inventors and their licensees from competition. But I've noticed a couple of areas where patents are also used as a security mechanism, aiming to prevent the unauthorized production of products that might threaten some aspect of a system's security. One example close to home is the DVD patents, which, in addition to providing income for the DVD patent holders, also allows them to prevent the production of players that don't meet certain requirements. This effectively reduces the availability of multi-region players; the patents protect the security of the region coding system. Another example I've found is in the world of mechanical locks, where one of the biggest security threats to users comes from the unauthorized duplication of keys. High-security lock manufacturers try to create key designs that are novel enough to be patented, and advertise the patents (and the fact that keys have tightly controlled distribution) as a selling point. Many users actually prefer these patented products because even though it means they might have to pay monopoly prices for their keys, it makes it less likely that a thief will be able to get a duplicate at the corner hardware store. I'm a bit skeptical about whether this really is effective (and at least one legal case, Best v. Ilco, casts some doubt on the validity of many of the key blank patents) but it's standard practice in the lock industry. Are there other examples where patents are used as a security mechanism? -matt - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DeCSS, crypto, law, and economics
Isn't it about a million times more probable that the industry's main concern was PEOPLE RIPPING DVDS AND TRADING THE FILES? Well, zone locking helps curb this because it *reduces* the market for each copy. The finer the zone locking resolution, the more effort an attacker needs to make in order to be able to trade more copies. Huh? DVD region coding doesn't prevent this at all; ripped decrypted DVD mpeg files could be played anywhere. The DVD region code scheme would, however, be mildly effective in reducing the utility of (encrypted) DVD images by making them playable only on players from the original market. But as others have pointed out, there aren't any consumer DVD writers that can write out an entire image, so this wouldn't happen anyway with current products. By the way, import region-free DVD players *are* available, quite legally, within the US, as are non-region 1 disks. Kim's video in NYC is one source. They are all unfamiliar off brands, however - you won't find Sony or Matsushita (deliberately) producing one. The main reason such players aren't more popular or commonly available here is not the DMCA, but rather lack of consumer demand. Most popular movies are available and cheapest on a region 1 version of the release. It's people outside North America who buy most of the multi-region players, primarily to take advantage of the region 1 market. North American consumers of multi-region players and other regions' disks are mostly just fanatics like me who have less mainstream taste and want the few disks that aren't available for region 1. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: password-cracking by journalists...
17 USC 1204 (a) In General. - Any person who violates section 1201 or 1202 willfully and for purposes of commercial advantage or private financial gain -(1) shall be fined not more than $500,000 or imprisoned for not more than 5 years, or both, for the first offense... Does this mean that if you are a private researcher, and reverse-engineered something for fun or the challenge, you escape the clutches of this law? You may be able to escape the *criminal* clutches of this law. But you might still be sued under 17 USC 1203, which provides for seriously frightening statutory damages (as well as actual damages). -matt - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
FC'02 accepted papers
The following is the preliminary list of accepted papers for Financial Cryptography 2002. For information on the conference, including registration, see http://fc02.ai Paper: 017 Authors: Markus Jakobsson Title: Low-Cost Hash Sequence Traversal - Paper: 020 Authors: Markus Jakobsson Title: Financial Instruments in Recommendation Mechanisms - Paper: 021 Authors: Dennis Kugler, Holger Vogt Title: Off-line Payments with Auditable Tracing - Paper: 027 Authors: Roger Dingledine, Paul Syverson Title: Reliable MIX Cascade Networks through Reputation - Paper: 031 Authors: Fouque, Stern, Wackers Title: CryptoComputing with rationals - Paper: 053 Authors: Helger Lipmaa, N. Asokan, Valtteri Niemi Title: Secure Vickrey Auctions without Threshold Trust - Paper: 058 Authors: Yvo Desmedt, Rei Safavi-Naini, Huaxiong Wang Title: Redistribution of a mechanical secret's shares - Paper: 059 Authors: Koutarou Suzuki, Makoto Yokoo Title: Secure Combinatorial Auctions by Dynamic Programming with Polynomial Secret Sharing - Paper: 061 Authors: Ofer Margoniski, Dahlia Malkhi, Elan Pavlov Title: E-Voting Without Cryptography - Paper: 063 Authors: Jun Furukawa, Hiroshi Miyauchi, Kengo Mori, Satoshi Obana, Kazue Sako Title: An Implementation of a Universally Verifiable Electronic Voting Scheme based on Shuffling - Paper: 066 Authors: Giuseppe Ateniese, Gene Tsudik Title: Quasi-Efficient Revocation in Group Signatures - Paper: 067 Authors: Kazumasa Omote, Atsuko Miyaji Title: A Second-price Sealed-bid Auction with the Discriminant of the p-th Root - Paper: 074 Authors: Dan E. Geer, Moti Yung Title: Split-and-Delegate: Threshold Cryptography for the Masses - Paper: 076 Authors: Shouhuai Xu, Moti Yung Title: The Dark Side of Threshold Cryptography - Paper: 077 Authors: John Ioannidis, Sotris Ioannidis, Angelos Keromytis, Vassilis Prevelakis Title: Fileteller: Paying and Getting Paid for File Storage - Paper: 083 Authors: Philippe Golle, Stanislaw Jareki, Ilya Minonov Title: Message-Aware Cryptographic Primitives - Paper: 086 Authors: Ari Juels, Michael Szydlo Title: A Two-Server, Sealed-Bid Auction Protocol - Paper: 087 Authors: Takeshi Okamoto, Mitsuru Tada, Atsuko Miyaji Title: A Fast Signature Scheme without on-line Multiplication - Paper: 088 Authors: Markus Jakobsson, Juan A. Garay Title: Timed Release of Standard Digital Signatures - - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Revised CFP (extended deadline): Financial Cryptography 2002
Revised Call for Papers Financial Cryptography '02 NOTE EXTENDED DEADLINE March 11-14, 2002 Sonesta Beach Resort Southhampton, Bermuda Sponsored by the International Financial Cryptography Association Original papers are solicited on all aspects of financial data security and digital commerce for submission to the Sixth Annual Conference on Financial Cryptography (FC '02). FC '02 brings together researchers in the financial, legal, cryptologic, and data security fields to foster cooperation and exchange of ideas. Relevant topics include: AnonymityInfrastructure Design AuditLegal and Regulatory Authentication and Issues Identification Loyalty Mechanisms Certification andPeer-to-Peer Systems AuthorizationPayments and Commercial Transactions Micropayments and ContractsPrivacy Digital Cash Risks Management Digital Rights Secure Banking Management Smart Cards Electronic PursesTrust Management Implementation IssuesWatermarking Information Economics Instructions for Authors: Complete papers (or complete extended abstracts) must be at most fifteen (15) single-spaced standard pages in length and must be received before 23h59 UTC on November 11, 2001. All papers must be submitted electronically. (In exceptional circumstances, paper submissions can be accepted, but special arrangements must be made with the program chair prior to October 31, 2001.) Papers must be in either standard PostScript or PDF format, and should be submitted via electronic mail to [EMAIL PROTECTED] prior to the deadline. Note that submissions in formats other than PostScript or PDF, including word processor source formats such as MS Word or LaTeX, will be rejected. Submitted papers should include on the first page the title, all authors and their affiliations, a brief abstract, and a list of topical keywords. Papers must be original; submission of previously published material or papers under consideration in other conferences or journals is not permitted. A proceedings will be published as part of the LNCS series. Authors of accepted papers will have an opportunity to revise their papers for final publication after the conference. Proposals for panels are also solicited, and should include a brief description of the panel as well as prospective participants. Panel proposals should be submitted by electronic mail to the same address, in plain ASCII format. Important Dates: Submissions due: November 11, 2001 Notifications to authors: December 23, 2001 Camera-ready papers due: February 4, 2002 General Chair: Nicko van Someren (nCipher) Program Committee: Matt Blaze, Program Chair (ATT Labs) Dan Boneh (Stanford University) Stefan Brands (Zero Knowledge) Dan Geer (@stake) Ian Goldberg (Zero Knowledge) Angelos Keromytis (Columbia University) Paul Kocher (Cryptography Research) Ron Rivest (MIT) Tomas Sander (Intertrust) Rebecca Wright (ATT Labs) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The tragedy in NYC
Perry, Here are my thoughts and fears, which I sent to IP earlier this evening. -matt I find myself overwhelmed by emotion. I'm a native New Yorker - I was born here and have lived here almost continuously all my life. I love this city as much as a person can possibly love a place; the loss of the World Trade Center and the literally countless lives taken by this senseless and cruel attack feels intensely personal. Yes, I'm angry - part of me is consumed by a visceral, irrational rage that makes me thirst for terrible vengeance to be brought upon the murderers responsible for this outrage. Mostly though, what I feel can only be described as revulsion. When I first saw the video of the Trade Center towers collapsing I became physically ill. I what I really want is simply for this never to have happened - or at least to ensure that it never be allowed to happen again. Whatever the cost. This, far more than the awful prospect of further terrorist attack, is what scares me. My fear is that the terrorists will prove to have already won. Not by destroying our buildings, but by scarring us into abandoning the values that give our society its greatness. Over the weeks and months to come, people of good will, leaders who truly believe they have our best interests at heart, will be looking for ways to make it impossible for this to happen again. The temptation to trade away our freedoms will be irresistible, the pressure to take decisive action, whatever its effect on liberty and privacy, overwhelming. My own experience with this, in the calmer times before yesterday, was focused on the debate over cryptography. I believed then, and continue to believe now, that the benefits, to our security and freedom, of widely available cryptography far, far outweigh the inevitable damage that comes from its use by criminals and terrorists. I believed, and continue to believe, that the arguments against widely available cryptography, while certainly advanced by people of good will, did not hold up against the cold light of reason and were inconsistent with the most basic American values. The debate took years, and was painful at times for all of us on both sides of it, but was, in retrospect, a sign of our democracy's good health. We did not resolve the cryptography debate emotionally or in secret, but rather through a political and legal process weighted heavily to favor the protection of individual rights. Our collective resolve to maintain the freedom, openness and diversity that so enriches and defines our society will soon be put to its greatest test in generations. Compelling reasons will be offered for curtailments and restrictions on our ability to travel freely and spontaneously, to keep private matters confidential, and to speak and conduct business anonymously. Pressure will be brought on the designers of computing and communication infrastructure to include surveillance capability as primary design criteria, alongside efficiency and performance. As a technologist involved in networking I have a special respect for the awesome and subtle power of architecture. I worry about the robustness of systems designed with back doors, the potential for failure in centrally controlled and managed networks, the weakening of the end-to-end model that made the Internet such a natural success. My worries take on a special gravity when I consider how pervasively connected our communication architecture has become to the fabric of our democracy. Like it or not computers and networks, as much as our Constitution, are now endowed with the power to either protect us from or make us more vulnerable to evils like unreasonable search and censorship. I fear that we will be seduced into accepting what seem at first blush as nothing more than reasonable inconveniences, small prices to pay for reducing the risk that terrorism happens on our soil again, without assessing fully the hidden costs to our values and to the robustness of our society. Worse, I fear that we may allow these things to simply happen, without the debate and exposure that an informed open society would and must demand. I'm not suggesting for a moment that we ignore the threat of terrorism or fail to defend ourselves against an increasingly sophisticated and obviously determined enemy. But we will have decisions to make about the direction we want and expect our society to take, and we must not make them lightly or passively. Now would not be a bad time for all Americans to re-read the Bill of Rights and to reflect on the power and wisdom of the hard choices that maintaining these rights forces us to make. We are not, it is abundantly clear, a society built on expediency. Many commentators, in the media and elsewhere, have observed that September 11th will be remembered as the day that everything changed in America. Yes, everything changed yesterday, but we needn't allow it to change us. Matt Blaze New York, 12 September 2001
CFP: Financial Cryptography '02
Call for Papers Financial Cryptography '02 March 11-14, 2002 Sonesta Beach Resort Southhampton, Bermuda Sponsored by the International Financial Cryptography Association Original papers are solicited on all aspects of financial data security and digital commerce for submission to the Sixth Annual Conference on Financial Cryptography (FC '02). FC '02 brings together researchers in the financial, legal, cryptologic, and data security fields to foster cooperation and exchange of ideas. Relevant topics include: AnonymityInfrastructure Design AuditLegal and Regulatory Authentication and Issues Identification Loyalty Mechanisms Certification andPeer-to-Peer Systems AuthorizationPayments and Commercial Transactions Micropayments and ContractsPrivacy Digital Cash Risks Management Digital Rights Secure Banking Management Smart Cards Electronic PursesTrust Management Implementation IssuesWatermarking Information Economics Instructions for Authors: Complete papers (or complete extended abstracts) must be at most fifteen (15) single-spaced standard pages in length and must be received before 23h59 UTC on November 4, 2001. All papers must be submitted electronically. (In exceptional circumstances, paper submissions can be accepted, but special arrangements must be made with the program chair prior to October 31, 2001.) Papers must be in either standard PostScript or PDF format, and should be submitted via electronic mail to [EMAIL PROTECTED] prior to the deadline. Note that submissions in formats other than PostScript or PDF, including word processor source formats such as MS Word or LaTeX, will be rejected. Submitted papers should include on the first page the title, all authors and their affiliations, a brief abstract, and a list of topical keywords. Papers must be original; submission of previously published material or papers under consideration in other conferences or journals is not permitted. Proposals for panels are also solicited, and should include a brief description of the panel as well as prospective participants. Panel proposals should be submitted by electronic mail to the same address, in plain ASCII format. Important Dates: Submissions due: November 4, 2001 Notifications to authors: December 23, 2001 Camera-ready papers due: February 4, 2002 General Chair: Nicko van Someren (nCipher) Program Committee: Matt Blaze, Program Chair (ATT Labs) Dan Boneh (Stanford University) Stefan Brands (Zero Knowledge) Dan Geer (@stake) Ian Goldberg (Zero Knowledge) Angelos Keromytis (Columbia University) Paul Kocher (Cryptography Research) Ron Rivest (MIT) Tomas Sander (Intertrust) Rebecca Wright (ATT Labs) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
New results on WEP (fwd)
Adi Shamir and his colleagues have some interesting new results on RC4 with a practical attack against WEP. With Adi's permission, I've made available a (PostScript) copy of a draft of his paper at: http://www.crypto.com/papers/others/rc4_ksaproc.ps (Fortunately, as far as I know WEP isn't used for copy protection, so it's still legal to disseminate and traffic in this kind of information...) -matt -- Forwarded Message Date: Thu, 26 Jul 2001 00:50:03 +0300 From: Shamir Adi [EMAIL PROTECTED] Organization: Weizmann Institute of Sciense, Faculty of Mathematics To: [EMAIL PROTECTED] Subject: New results on WEP Dear Matt, WEP is the security protocol used in the widely deployed IEEE 802.11 wireless LAN's. This protocol received a lot of attention this year, and several groups of researchers have described a number of ways to bypass its security. Attached you will find a new paper which describes a truly practical direct attack on WEP's cryptography. It is an extremely powerful attack which can be applied even when WEP's RC4 stream cipher uses a 2048 bit secret key (its maximal size) and 128 bit IV modifiers (as proposed in WEP2). The attacker can be a completely passive eavesdropper (i.e., he does not have to inject packets, monitor responses, or use accomplices) and thus his existence is essentially undetectable. It is a pure known-ciphertext attack (i.e., the attacker need not know or choose their corresponding plaintexts). After scanning several hundred thousand packets, the attacker can completely recover the secret key and thus decrypt all the ciphertexts. The running time of the attack grows linearly instead of exponentially with the key size, and thus it is negligible even for 2048 bit keys. I'll appreciate your comments and suggestions. Please feel free to forward this email to your colleagues. Sincerely yours, Adi Shamir --- End of Forwarded Message - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Tamperproof devices and backdoors
On the Other Other Hand, I vaguely remember a neat paper by Matt Blaze some years ago that shows that certain classes of back doors, like good back doors in conventional crypto systems, are equivalent in difficulty to building a public key system. Anyone remember the name of the paper and the exact content? Skimming the papers on his web page, I would guess it's related to M. Blaze, J. Feigenbaum and F.T. Leighton, Master-Key Cryptosytems. Abstract presented at Crypto '95 (rump session), Santa Barbara, CA, August 1995 http://www.crypto.com/papers/mkcs.ps which opens by defining a Master-Key Cryptosystem and then goes on to show that a MKCS implies a PKCS. The public key is the cryptosystem with a back door. The private key is the back door/master key. That's it. I vaguely recall paper about a year or two ago by, I think, Bart Preenel, that expanded on a similar idea. I don't think it cited our MKCS tech report, so I presume he wasn't aware of it and took a slightly different direction. Anyway, the MKCS work refers to backdoors in algorithms, which isn't at all the same as the problem of inserting or discovering backdoors in hardware or, for that matter, software. -matt - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
