Re: Anonymous Credit: New proposal
On Sat, Sep 01, 2001 at 11:14:56PM -0500, Frank Tobin wrote: Simple. The original author should use a trusted time-stamping service to indicate a trusted 'true' time for the first signature. Alternatively, Sure, but this was not part of the proposal. And I don't know of any existing time-stamping service which is trusted and provides services to anonymous people. It must be possible to receive the time stamp without revealing your identity or to get a time stamp which can't be tracked to the message to be posted. the detached signature should be presented ahead of time and distributed widely. When the document comes out, you prove you have the secret key, and that your signatures on the document existed in distribution before the document itself was in distribution. Not really. Makes stealing more difficult, but not impossible. The attacker now has to prevent the distribution of the detached signature *and* has to make the author believe it had successfully been distributed (e.g. fake a mail from a distribution list), then wait for distribution of the full message. Problem: A signature is simply the wrong cryptographic tool. A signature gives non-repudiation, so the owner of the secret key can't deny to have seen the message (which is useless, as long as the identity of the key owner is unknown). But in this case you want to prove that some is the only author, not that he has seen the message, which is a matter of authentication, not message signing. New Proposal: 1. Author generates a public/secret key pair, suitable for authentication (maybe zero knowledge, in case message could bring author to jail...) 2. Author generates a random number (nonce) and calculates Hashsum(concat(random number,message)). 3. Author anonymously publishes the public key from step 1 and the hashsum from step 2 (I will later claim authorship of a message...). 4. Some public authorities (as many as possible, whoever should be convinced of authorship later, e.g. mailing list admins, notaries, universities,...) generate a signature for the public key and the hashsum published in step 3. This means: We will accept the person who authenticates to this public key as the author of the message with this hashsum. This signature is publicly distributed (sent to a mailing list, put on a web server,...) 5. If the author receives enough of these signatures, he can be sure to claim authorship later by using the secret key to authenticate. If the author doesn't receive enough signatures within a given amount of time, he repeats from step 2. 6. Author anonymously publishes the message and the random number. The issuers of the signatures (and whoever trusts them) can now link the message to a public key for authentication. 7. Whenever he wants, author can prove authorship by authenticating to the public key (which might be comfortable if it is a zero-knowledge scheme and the police is waiting...) Hadmut Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Compression side channel
On Sat, Sep 08, 2001 at 10:45:14PM -0400, John Kelsey wrote: where the encryption preserves length (e.g., RC4 encryption). Suppose someone is sending a secret S in these messages, and the attacker gets to choose some prefix or suffix to send, e.g. X[0] = S+suffix[0] X[1] = S+suffix[1] ... Good point. The mistake seems to be mixing a (non-compressible) secret and a (compressible, possibly attacker-chosen) message in one compression run. It seems to be a good idea to compress every logical part of the plaintext separately (and to compress only things which are compressible). Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Which internet services were used?
A german TV news magazine (ZDF spezial) just mentioned that the terrorists prepared and coordinated also by using the internet, but no details were told. Does anyone know more about this? Hadmut [Moderator: I've listened to virtually all the news conferences made so far. The FBI has yet to make any such statement. In any case, however, why should we find this any more shocking or unfortunate than terrorism being plotted using telephones, or paper letters, or conversations? Why are there no hysterics noting the plotters travelled using AUTOMOBILES! If the plotters used encryption, well, literally hundreds of millions of law abiding people do so every day as well. Most of the ignorant reporters saying things about encryption use it too, even if they aren't aware of it. --Perry] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto backdoors = terrorisms free reign
On Sun, Sep 16, 2001 at 10:00:21AM +0300, Amir Herzberg wrote: Suppose by law, everybody can use GAK encryption alg, say `GEEK`. Attacker wishes to use non-GAK algorithm, say `TRICK`. GEEK has a distinguisher module available to NSA which outputs GEEK or SUSPECT for encrypted data (using GEEK or any other algorithm, respectively). Attacker encrypts his data with TRICK and then with GEEK. So this is validly GEEK encrypted data. Until the NSA tries to decipher it, it looks fine. Obviously. You can make it even more simple: I send you one bit, e.g. a 1. Was this plaintext or a ciphertext encrypted with a forbidden cypher? Well, this leads to the conclusion that you have to forbid sending 1s. Restrict communication to sending 0s. Hopefully nobody discovers, that a 0 could be an encrypted 1... Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Which internet services were used?
On Mon, Sep 17, 2001 at 09:10:48AM -0500, Matt Crawford wrote: The only details I've heard are that the terrorists have elaborate web sites to recruit and solicit donations. Far short of operational use of the internet. They had two websites in Germany, one for recruiting people (www.qoqaz.de) and soliciting money (www.azzam.de), as german newsmagazine DER SPIEGEL reports (see http://www.spiegel.de/netzwelt/politik/0,1518,157199,00.html ) The websites were closed a few days ago. Just before one of it was closed, a hacker allegedly broke into it and downloaded the 500 member addresses of a newsletter mailing list. (see http://www.spiegel.de/netzwelt/medien/0,1518,157759,00.html) Allegedly one of the list members is one of the terrorists. Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Passport Passwords Stored in Plaintext
On Fri, Oct 05, 2001 at 01:22:31PM -0500, Joseph Ashwood wrote: [ Greate description of M$ ... ] I am unaware of anything microsoft has ever written that could be considered secure and there is evidence that they plan Outlook once offered me the choice between no encryption and a so called compressible encryption. :-D Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: collecting an Enigma? [was: Antiques man guilty of Enigma charge
On Thu, Sep 27, 2001 at 10:37:23AM -0400, Pat Farrell wrote: Does anyone know if there is a legal collector's market for Enigma machines? Some years ago, when I was at the university, the institute had one enigma, which was bought at an auction. If I remember well, it had cost about DM 15.000,- (about 7,100 US$). The machine was in a very good condition, everything worked well (of course, the original battery was removed), even most of the light bulbs were still working. It was, however, a very simple version (three wheels, no separate wheels, no plug board) and I think, it was a commercial version. The box was obviously modified after WWII to remove the signs and labels of the Nazis, but except from that also in a good shape. A friend of mine collects old mechanical calculation machines and therefore used to visit auctions. There are special auctions for these machines and the catalogues usually contained about 1-2 pages of old encryption machines as well (mostly Enigma or Hagelin), but it's about 4 years ago that I've seen such a catalogue. Prices may have increased meanwhile. However, there is definitly a huge market for legal (and probably also stolen ones) calculation machines, including encryption machines. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Hackers Targeting Home Computers
WASHINGTON -- Computer hackers, once satisfied to test their skills on large companies, are turning their sights to home computers that are faster, more powerful and less secure than ever before. On my private computer (DSL, dynamically assigned IP address), I detect an increasing density of attack attempts. More or less serious attempts happen every few minutes in average (depends on daytime). Highest density is in the evening hours, when hackers and victims find time to be online. This means the probability of an infection of an unprotected private computer is quite high after only some hours of internet access. Most (normal) people I know use such unprotected computers for internet access. Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Hackers Targeting Home Computers
On Fri, Jan 04, 2002 at 11:42:27AM -0800, Jeff Simmons wrote: Unless I'm misunderstanding you, I find this hard to believe. On my computer (DSL, fixed IP), which is pretty heavily monitored, I'm detecting only a few, maybe up to a dozen, actual attacks a day. Most of them are from well-known root kits, targeting old vulnerabilities. Sunrpc, lpr, imap, and anonymous ftp seem to be popular. Most attacks come from Asia, eastern Europe used to be popular, but seems to have died down recently. The only way I could get anywhere near your numbers is to count all of the Windows-based http attacks coming from automated worms and the like. I'd be interested in hearing from others what kind and frequency of attacks they're experiencing. There's good reason for the different results. I'm located in Germany and my DSL line is from Deutsche Telekom (T-DSL, T-Online). This is by far the biggest provider in Germany for private DSL internet access, and they also do provide large numbers of modem and ISDN accounts. They use a few very well known ip address ranges for all DSL, modem and ISDN customers. Scanning the T-Online address ranges allows you to find heaps of german private computers. Many of the attacks I detect come from within the T-Online network, others often come from the countries you describe. I compared results with some of the colleagues results and with results we get from commercial firewalls at the same time. There is a significant difference. It appears that the T-Online network ranges are a favored target of many hackers/scanners/script kiddies. There's no doubt that some attackers prefer attacking private computers and select address ranges where they find most of these computers. Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Palladium Eye Ear Implants
One of the main properties of the TCPA/Palladium architecture is the (asserted) ability to limit information leaking to untrusted parties. In what way does this affect the appearance of computers as we know them today? It certainly means more than that you can't simply forward copyright protected informations by email in plaintext. I remember that about 20-25 years ago I read in one of the early computer magazines a proposal how to build a cheap printer from a plain electrical typewriter by attaching a board with electromagnetically operated punchers onto the keyboard without any modification (!) of the typewriter itself. Assumed that a trusted computer is completely sealed, it still needs some kind of human interface, probably a mouse, a keyboard, and a screen (otherwise whould be questionable what to pay for). Even if the computer is tamperproof, you still could attach such a board simulating your fingers on the keyboard and a camera in front of the screen doing OCR. Should not be much of a problem to teach an untrusted Linux box to read from a trusted sealed machine, reading an e-book page by page. As a consequence, it is not enough to just encrypt the connection between the computer and the monitor or the keyboard. An encryption of the connection between the computer and the authorized person itself is needed. The solution would be to implant chips in one's head and to connect them to the eye and ear nervers, thus injecting the decrypted information directly into the brain. This also solves the problem that when a person who has paid reads an e-book, always other persons who didn't pay could watch too. Of course, blue screens become a much more intense experience once they can happen directly in your head and completely shut down your visual and acoustical perception. Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Absurdity? (Was: Ross's TCPA paper)
On Fri, Jul 05, 2002 at 09:14:27AM +0100, Matthew Byng-Maddick wrote: On Thu, Jul 04, 2002 at 10:54:11PM +0200, Hadmut Danisch wrote: [backdoored network cards] I don't think so. As far as I understood, the bus system (PCI,...) will be encrypted as well. You'll have to use a NIC which is certified and can decrypt the information on the bus. Obviously, you won't get a certification for such an network card. Surely the obvious thing is that you build a network card without this property, and get it certified, and get the key to decrypt the data. Then you add the backdooring technology, at which point you have the advantage that you both have a certified secure network card, and the key to decrypt data for you on the bus. Not that I'm sure this helps, but it might. Another question is: How will you print? Certainly, you can't use just a plain printer. Could be any microcontroller pretending to be a printer. So you need a certified and tamper resistant printing device. But what do you print on? Yes, you need certified paper which refuses to agree with being copied. Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Freedom Corps vs. Software Security?
Hi, I just read the latest news in german news magazine DER SPIEGEL (http://www.spiegel.de/politik/ausland/0,1518,206079,00.html for those who understand german) about Bush's Freedom Corps and the TIPS starting in August (Terrorism Information and Prevention System). They also mentioned that civil rights were simply turned off in the US after Sep11, e.g. a man was arrested and is still in jail for nothing more than just telling his opinion (the so called freedom of speech). The question is: Can american software be trusted anymore, when the US government wants to turn 4% of the US citizens into spys? If they already want to use common people as plumbers, electricians etc. as spys, isn't it obvious that they will use a thing like software as well? Some years ago it was like this: american software = good, trusted, friends, democracy russian software = evil, made by an empire for espionage Is it possible that they are currently switching positions? (Not to insult anyone, just to start a discussion...) Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: employment market for applied cryptographers?
On Fri, Aug 16, 2002 at 02:23:05AM +0100, Adam Back wrote: Other explanations? Same effect here in Germany. I'm under the impression that security was never really done for security reasons, but as a kind of fashion. Do it because everyone is doing it. It's a problem of the decision makers. Many companies don't effectively want to have security. They just want to claim to have. Very few of them are really interested in having a secure network structure. Decision makers often still believe that security means having a firewall and a virus filter. Meanwhile, virtually anyone has some kind of firewall. Everyone has installed some kind of virus scanning software on the mailserver. That fulfills everything decision makers know about security. Why waste money for a security engineer? Why should we have a security engineer to keep the firewall and the scanner alive, if our normal sysadmin can keep the software alive as well? I know several german companies who are explicitely looking for a security specialist as an employee, but once you examine the job offer, you'll find that they don't want a security engineer who makes their network or software secure. They're looking for a security engineer just to exist and to keep the mouth shut. Just to have an office with the label security, but not causing any trouble. Security was never really a requirement, it was some kind of fashion. Fashions come, fashions go. It's not seen as causing revenue. So just drop it if times get worse. Security has crossed its highest level. It will decrease from now on. Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Court Decision about russian hackers?
Hi, I'm looking for a court decision about a case where FBI agents fooled russian hackers in order to gain their passwords and to intrude their computers. Unfortunately (or better: fortunately) I'm unexperienced with the american court system. Can anyone give me a hint where/how I can get a copy of the decision or further information which court that judge belongs to? The decision I am looking for was described in a german computer magazine's newsticker: http://www.heise.de/newsticker/data/wst-19.08.02-000/ I'll try to translate the article: The russian secret service FSB has started an investigation against the american FBI agent Michael Schuler. He is accused of illegal intrusion into russian computers. Two years ago, he trapped two assumed russian hackers into the United States with a faked job offer of the faked company Invita Security. With a faked aptitude test the FBI stole the passwords of the russians and used them to download means of evidence from the hackers computers in rusia. A US court has declared those controversial methods of investigation to be legal. As reported by the US press, judge John C. Coughenour had disapproved the request of the lawyer of one of the accused to not accept the files downloaded by the FBI as means of evidence. The lawyer claimed that the fourth Amendment had been violated by the FBI. The judge objected that the computers had been outside the USA and had not been property of US citizens. For this reason the fourth amendment couldn't be applied. Furthermore, even if the FBI agents had downloaded the files without judicial permission, they had gained a permission before analyzing the 250 Gigabyte. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
On Fri, Sep 20, 2002 at 02:17:11PM -0400, Trei, Peter wrote: It appears to have replay resistance *between* readers - ie, the data from reader A would be useless to spoof reader B, since the two readers will illuminate the device at different locations and angles. Not really. Illuminating the device at different locations and angles is certainly not as good as a cryptographical challenge. Since the location and angle is done by some mechanical device, the numers of locations and angles is certainly small, and once you are in posession of the token (e.g. as a clerk in the shop), it might be possible to generate a complete table of all location/angle/response triples. Another question is how the reader verifies the token. There must be some description of the token which allows to verify the token. Is it possible to generate the token respones without actually having the token? (are token and verfication information a public/private key pair?). I see the reader as a weak point, a second one is that the device does not provide a signature. Even if the device was replay proof, it's not possible to distinguish between payment of 20 or 40 Euro. There are plenty of good applications for such a token, but credit cards and payment are certainly not. Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: unforgeable optical tokens?
On Sat, Sep 21, 2002 at 12:11:17AM +, David Wagner wrote: I find the physical token a poor replacement for cryptography, when the goal is challenge-response authentication over a network. In practice, you never really want just challenge-response authentication; you want to set up a secure, authenticated channel to the other party, which means you probably also need key distribution functionality. The physical token suggested here doesn't help with that at all. That's the main problem of judging this token: Don't compare it with cryptographical methods. This token is not a matter of cryptography, because there's no secret and no exchange of information. No challenge, no response, no calculation, no stored information, nothing. Therefore it is completely useless in context of computer networks, which - after all - do nothing else than carrying informations. That token can't perform a challenge-response authentication, because it's a piece of plastic and glas, it doesn't listen to your challenge and it won't give you an answer. It's just a gadget of the type you can't make a similar one again, and that's what it can be used for. Forget about networks and challenge response in context of this token. Security is far more than just the cryptographical standard methods. There's security beyond cryptography. So don't have this limited view. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: German authorities bungle wiretaps.
On Wed, Nov 06, 2002 at 02:24:18PM -0600, Steven Soroka wrote: Which prompts the question, what the hell for? That's a pretty good question. Police and Secret Services demanded wiretapping access as absolutely necessary for catching criminals etc. Some politicians agreed for some short time, to give them a try, but to ask for evidence later, whether this is of real use. AFAIK there was no evidence. It was simply forgotten to ask for evidence. On the other hand, wiretapping is currently not a german thing anymore. Requests to enable law enforcements come mainly from the European Community and - since Sep 11 - from the United States. Remember that it was the German Secret Service who found the link to Bin Laden after the Sep 11 attacks through wiretapping phone lines. Current wiretapping laws are Made in Europe, not Made in Germany. Furthermore, it is pretty well known that by far more wiretapping in Europe is done by the US/Canada/GB/Autralia project Echelon, but since this is done the illegal way, it obviously can't accidently appear on the phone bills. But it's true, we have two problems at the moment. First problem is that there is a lack of legal/political control of official wiretapping. Second problem is that there is almost no control and no defense against the inofficial Echelon wiretapping. Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Information Awareness Office
Hi, a lovely anthology of concepts about human and civil rights (american flavour) can be found at http://www.darpa.mil/iao/ best regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Stupid security measures, a contest
On Wed, Feb 12, 2003 at 06:10:56PM -0500, Matt Blaze wrote: If I were looking for a winner for this, I'd be especially interested in measures that end up reducing security rather than improving it. One of the worst security measures I've ever personally seen: Some years ago I was invited as an expert (for security) into a german ministry/government department. I received a paper document which was classified as confidential. I was asked to take it with me, read it, comment it, and then put it in a paper shredder. As usual, every page of the document was marked as confidential by having a large, bright grey writing from the bottom left to the top right corner as a background of the text. (like the latex draftcopy style) At this time I was working at the University, and the University was short of money, so we had only a very cheap paper shredder which was cutting the paper only in stripes of about 3-4 mm width instead of little particles as expensive shredders do. Usually it is still too difficult to sort the stripes. It turned out that it was just the diagonal confidential label which made it absolutely easy to sort the stripes and to reassemble the pages within seconds. Another example: There's a german bank which provides Internet Banking through a ssl secured web page, which is after all not a bad idea. When you're on the web page, it opens a new browser window through java script, which then gives you access to the banking and asks for account number and pin. The web designers decided to open a window without the usual browser decoration, i.e. without showing the URL the page came from: function openwin(){ var WinName='Internetbanking'; if(is.ie){ var param='toolbar=no,menubar=no,scrollbars=yes,resizable=yes,status=yes,width=800,height=600'; var url='/OnlineBanking/fs_ie.html'; } if(is.ns){ var param='toolbar=no,menubar=no,scrollbars=yes,resizable=no,status=yes,width=800,height=600'; var url='/OnlineBanking/fs_ns.html'; } msg=open(url,WinName,param); } So when you're on this page, you're on an encrypted page and the browser shows the padlock symbol promising security, but you can't see whom you are talking with. So you could redirect the browser to any other webserver with a valid SSL certificate and provide webpages with a similar appearence, and ...[you know what]. I've contacted that bank and tried to explain the problem. They completely denied it and claimed that they have high level experts, much more experienced than I am, and that they all said that they use SSL with 128 Bit encryption, which is absolutely unbreakable. :-) (If you wanna see it, try https://banking.diba.de . You could argue that it is not trivial to intercept and modify this already ssl-encrypted page to perform some redirection. I've given this URL only for those who don't speak german and can't navigate through the menues. Usually people start at http://www.diba.de, and with some simple DNS spoofing or attack on a proxy it could simply redirect telebanking to anywhere.) regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Stupid security measures, a contest
On Fri, Feb 14, 2003 at 02:18:00AM -0800, alan wrote: The extra anal security guard can be fun to play with. A little bit more about guards: In 1985/86 I did my compulsory army service in Koblenz, which also included to be the guard of the barracks for several days. When I was the guard of the main entrance, once an army vehicle approached to enter the area. I stopped the vehicle and asked for the identity card, driving license, and driving order, just as usual. The guy in the car gave each, but it was obvious that all three were wrong and forged. I told him to leave the car immediately and come with me to the officer in duty. He smiled and said Congratulation, this was a security check and you have passed perfectly. I answered Nice try, immediately pulled the gun, and arrested him, put him in the prison in the guard house, and informed the chief of the barracks area. It turned out that the guy indeed was a security officer of the army, and it was his job to perform security checks like this. The security department he came from was performing checks like that one for about 15 years. He said in about 25% of their checks the guards didn't realize that the papers are wrong and let the person pass without questions. In such cases the guards had failed the test. In the other 75% of their checks the guards realized and stopped the person, and so the guards had passed the check. But their officers never ever had to prove that they performed a security check and they never needed their real identity cards. He was the first one to find himself arrested. It was always enough to say Congratulations, this was a security check and you have passed. to enter the area without further questions and to leave a happy guard behind. No one ever had any doubts. And nobody realized that this was a security leak. The effect was that the officers of that security department were entering barracks for 15 years as a security officer performing security checks without ever having to show a valid identity card and driving order, either in the first or the second way, and didn't realize that this was a security problem. :-) Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]