Re: I'll show you mine if you show me, er, mine
>The description has virtually nothing to do with the actual algorithm >proposed. Follow the link in the article - http://www.stealth-attacks.info/ - >for an actual - if informal - description. > > There is no actual description publically available (there are three completely different protocols described in the press). I talked to the author about this; he sent me a fourth, somewhat reasonable document. At *best*, this is something akin to SRP with the server constantly proving its true nature with every character (yes, shoulder surfers get to attack keys one at a time). It could get pretty bad though, so rather than support it or bash it, I'd just reserve judgement until it's publically documented at Financial Crypto. --Dan
Re: Desire safety on Net? (n) code has the solution
Digital certificates can be explained as digital passports, which help in authentication of the bearer on the Internet. This also helps maintain, privacy and integrity of Net-based transactions. Digital signatures are accorded the same value as paper-based signatures of the physical world by the Indian IT Act 2000. Each of these functions help bring trust in Net-based transactions. This passed by without too many people noticing: http://www.cfo.com/article.cfm/3597911/c_3597966?f=home_todayinfinance === The SEC also asserts that the company's 10-Q bore an unauthorized electronic signature of Guccione -- who was Penthouse's principal executive officer and principal financial officer at the time. The signature indicated that Guccione had reviewed and signed the filing and the accompanying Sarbanes-Oxley certification. “This representation was false,” the SEC stated in its complaint. === "You got your SOX in my Digital Signature Repudiation!" "You got your Digital Signature Repudiation in my SOX!" "Someone order a failed porn empire?" --Dan
Re: Dell to Add Security Chip to PCs
The best that can happen with TCPA is pretty good - it could stop a lot of viruses and malware, for one thing. No, it can't. That's the point; it's not like the code running inside the sandbox becomes magically exploitproof...it just becomes totally opaque to any external auditor. A black hat takes an exploit, encrypts it to the public key exported by the TCPA-compliant environment (think about a worm that encrypts itself to each cached public key) and sends the newly unauditable structure out. Sure, the worm can only manipulate data inside the sandbox, but when the whole *idea* is to put everything valuable inside these safe sandboxes, that's not exactly comforting. --Dan
Re: Dell to Add Security Chip to PCs
Uh, you *really* have no idea how much the black hat community is looking forward to TCPA. For example, Office is going to have core components running inside a protected environment totally immune to antivirus. How? TCPA is only a cryptographic device, and some BIOS code, nothing else. Does the coming of TCPA chips eliminate the bugs, buffer overflows, stack overflows, or any other way to execute arbitrary code? If yes, isn't that a wonderful thing? Obviously it doesn't (eliminate bugs and so on). TCPA eliminates external checks and balances, such as antivirus. As the user, I'm not trusted to audit operations within a TCPA-established sandbox. Antivirus is essentially a user system auditing tool, and TCPA-based systems have these big black boxes AV isn't allowed to analyze. Imagine a sandbox that parses input code signed to an API-derivable public key. Imagine an exploit encrypted to that. Can AV decrypt the payload and prevent execution? No, of course not. Only the TCPA sandbox can. But since AV can't get inside of the TCPA sandbox, whatever content is "protected" in there is quite conspicuously unprotected. It's a little like having a serial killer in San Quentin. You feel really safe until you realize...uh, he's your cellmate. I don't know how clear I can say this, your threat model is broken, and the bad guys can't stop laughing about it. I use cryptographic devices everyday, and TCPA is not different than the present situation. No better, no worse. I do a fair number of conferences with exploit authors every few months, and I can tell you, much worse. "Licking chops" is an accurate assessment. Honestly, it's a little like HID's "radio barcode number" concept of RFID. Everyone expects it to get everywhere, then get exploited mercilessly, then get ripped off the market quite painfully. --Dan
Re: Dell to Add Security Chip to PCs
Uh, you *really* have no idea how much the black hat community is looking forward to TCPA. For example, Office is going to have core components running inside a protected environment totally immune to antivirus. Since these components are going to be managing cryptographic operations, the "well defined API" exposed from within the sandbox will have arbitrary content going in, and opaque content coming out. Malware goes in (there's not a executable environment created that can't be exploited), sets up shop, has no need to be stealthy due to the complete blockage of AV monitors and cleaners, and does what it wants to the plaintext and ciphertext (alters content, changes keys) before emitting it back out the opaque outbound interface. So, no FUD, you lose :) --Dan Erwann ABALEA wrote: On Wed, 2 Feb 2005, Trei, Peter wrote: Seeing as it comes out of the TCG, this is almost certainly the enabling hardware for Palladium/NGSCB. Its a part of your computer which you may not have full control over. Please stop relaying FUD. You have full control over your PC, even if this one is equiped with a TCPA chip. See the TCPA chip as a hardware security module integrated into your PC. An API exists to use it, and one if the functions of this API is 'take ownership', which has the effect of erasing it and regenerating new internal keys.
