--
It seems to me that mutual authentication is pretty much
irrelevant to HTTPS and certificates. You mutually
authenticate by both knowing the password, as in SPEKE.
Of course, SPEKE is patented, so is this scheme a way of
getting around the patents?
--digsig
James A. Donald
valuable
secrets, since DRM binds the data to the software, and
provides a secure channel to the user. So secrets
representing ID, and secrets representing value, can
only be manipulated by the software that is supposed to
be manipulating it.
--digsig
James
Date sent: Tue, 25 Oct 2005 00:38:36 +0200
To: cyphrpunk <[EMAIL PROTECTED]>
Copies to: John Kelsey <[EMAIL PROTECTED]>, Ian G <[EMAIL
PROTECTED]>,
[EMAIL PROTECTED], cryptography@metzdowd.com, [EMAIL PROTECTED]
From: [EMAIL
re possible, use
STL strings where they must be non const.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
nsfA32EGEKM0cU+MepqW0siOwFXqhO6L4ObDt/5P
4n7mr1z57RP4q1W6q39DjzRerUpSJz4w3SYQPtVCh
-
would have licensed at least the other six NIST curves
as well, and most likely the other twelve.
The three curves that are licensed look different from
the other twelve, though I have no idea of the
significance of this, if any.
--digsig
James A. Donald
6YeGpsZR+nOTh
for this
license, making it profoundly unimpressive as evidence
that *any* curves have a plausible valid patent. If the
NSA paid real money, the patent holders would be
sticking it in our face as a price setting precedent.
--digsig
James A. Donald
6YeGpsZR+nOTh/c
--
James A. Donald:
> > Typical worm installation [on a smartphone] goes
> > like this:
> >
> > : : Receive message via bluetooth from
> > : : unnamed device? Y/N
> > : :
> > : : Installation Security warning: Unable to
> > : : verify supplier
from unnamed
: : device? Y/N
: :
: : Installation Security warning: Unable to
: : verify supplier. Continue anyway? Y/N
Seems to me that the phone designers have done a better
job with virus, worm, and malware resistance than
Microsoft or Linux. Teenagers are pretty sophisticated.
hese guys are just blowing
smoke. It has been a long time, and no one has paid out
money on an ECC patent yet.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
T2A5LZ0emoxvUB9mpzAbsQaP6ZNjQpWobkfHEPls
4o11NuYw0FpVl962xoPzHTvBwM2AkgES
ty and security on
passwords. If we are going to supplement the users
password with a nicely random number stored in his
computer, we should put the random number in his
bookmark, so that the the user conceives of it as his
secret web page, rather than his certificate.
--digsig
James A. Do
are
talking.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
YNuqdG3fHUHoOcFSmq0em+tFMqcDwVUWIWgS2s6H
4QP12giI58sVxIRE6YibnBC6OvfHfpHSK8pbVDKlY
--
http://www.jim.com
-
The Cryptography
ZKP to assure the other
> party that they know that secret without revealing it.
>
> If that's indeed so, wouldn't this have key management
> and storage issues that PK was designed to prevent in
> the first place?
But does not, in fact, prevent.
--digsig
ding even less manual intervention
Petname
Also petnames need to be linked to favorites. When you
are on a site that is on your favorites list, you should
see that it is on your favorites list.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
certs does not work
in practice. People have been bullied into using it by
their browsers, but it does not give the protection
intended, because people do what is necessary to avoid
being nagged by browsers, not what is necessary to be
secure.
--digsig
, and to identify users, is near zero and seems
unlikely to change. PGP has substantially superior
penetration.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
5l+2/VgKKsZ7L2MtEJUMxtB3jqOuld2RYZgm3QcV
4HS67bQDIU6jSw
terface, and the mobile user uses the token to log on
to a corrupted computer, then the adversary has control
of the token, even though the rightful user retains
physical control of the token.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVp
--
James A. Donald
> > Is it possible for two web sites to arrange for
> > cross logins?
Steve Furlong
> Does this question have a practical end in mind? If
> so, can you simplify matters by running both web sites
> on the same host?
The situation envisaged is that A.
user says
yes, then A.com sends his browser a redirect to B.com
with an encrypted message in the URL to B.com saying
"This guy is [EMAIL PROTECTED]". To avoid replay attacks,
public key should change every time - public key should
change with the browser cookie used by B.com
se,
this hangover will not last nearly so long.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
Fa1OKlHyGdiwEhSvi7sXvTo92wIBZ573qPLTCeLo
4TtZu3a5eWXjqK4Ol9jEIvUqnJ22YwURQUJdaf5xF
resent, the overwhelming majority of money transfers
take place over non internet networks, and rely on non
internet identity. Inevitably, this will change, and
that change will both necessitate, and be based on, the
use of public key cryptography.
--digsig
James A. Donald
6
red secrets are inherently insecure, and no
good practices exist to make them secure.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
pPiA9t4S8XPLqBdKsuV/tb+p7tvWdaBMwkYer7hl
4+JSXe6MBo4npe1
expensive, and the form of token that
> is needed - a trusted device to put the application,
> display, keypad and net connection on - is even more
> expensive than the stop-gap two-factor authentication
> units commonly sold.
Such a device sounds like a cell phone.
--digsig
--
James A. Donald:
> > Suppose you have something that is inadvertently an
> > oracle - it encrypts stuff from many different users
> > preparatory to sending it out over the internet, and
> > makes no effort to strongly authenticate a user.
> >
> > Have
the internet, and
makes no effort to strongly authenticate a user.
Have it encrypt stuff into a buffer, and on a timer
event, send out the buffer.
Your code is now of course multithreaded - very easy to
get multithreading bugs that never show up during
testing, but non deterministical
Rather the server should send out some encrypted random
data which the end user decrypts. End user should then
prove knowledge of that encrypted data.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
mvLPUs8OZQJeGGYzUgIlJCvGBKsPF9FUruhnF3tE
4
--
James A. Donald wrote:
> > Adversary accesses web site as if about to log in,
> > gets a session ID. Then supplies false information
> > to someone else's browser, causes that browser on
> > some one else's computer to use that session ID.
> > So
--
James A. Donald wrote:
> > The way to beat session fixation is to issue a
> > privileged and impossible to predict session ID in
> > response to a correct login.
> >
> > If, however, you grant privileges to a session ID on
> > the basis of a success
logins?
Existing SSH uses tend to be geek oriented, and do not
secure stuff that is under heavy attack. Does anyone
have any examples of SSH securing something that was
valuable to the user, under attack, and then the key
changed without warning? How then did the users react?
--digs
om) focusses on
encryption at the individual level - one key per email
address, not one key per domain name. which would solve
the spam problem, but is less immediately helpful than
one key per domain name.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
Fl8/gx
--
James A. Donald:
> > PKI was designed to defeat man in the middle attacks
> > based on network sniffing, or DNS hijacking, which
> > turned out to be less of a threat than expected.
> >
> > However, the session fixation bugs
> > http://www.acros
middle
attacks. Have these bugs been addressed?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
vPV62zjEtpTJHTV5lKXu2Sw+/5fke2gh9AwPeqQj
4oqqXlvYYKn9rR63ZsSEEjgV5fVyWT9+e6YttP3G
> From: "Patrick" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: [Lucrative-L] double spends, identity agnosticism, and
> Lucrative Date: Tue, 29 Apr 2003 14:46:48 -0600 Importance: Normal
> Sender: [EMAIL PROTECTED]
>
>
> A quick experiment has confirmed the obvious: when a client
> r
disk?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
MWz38lml3/o9dkGLtWtJQZ1tp0gyiyL5eFG9bY/j
4tFQd7DIdLt5X6V438CPm2mQIV4/O2PZST9PN9sAM
-
The Cryptography Mailing List
ed such a simple crypto protocol (SICS) in
> SCN'04 [available off my site],
And your site is?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
To5/mH1p3iCBlpaC6McgYo2aehoFMV42OcrSW6Ze
4AmE3tC68T
--
James A. Donald wrote:
> > * The user should automagically get his
> > certified key when he sets up the email account,
> > without having to do anything extra. We should
> > allow him the option of doing extra stuff, but
> > the default
used key, a warning comes up an unobtrusive and
easily ignored warning if he has never received a
signed message from that source, a considerably
stronger warning if he has previously received
signed mail from that source.
--digsig
James A. Donald
6Ye
igher secrecy classifications, more top
than top, a process of classification inflation and debasement.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
R4I4vh9JdcWBUfeQFXQ+i/TlFSVcljg/Og6KRDDj
4qwXmonSAX1xgyPdaB5TsB80yC66PjeWY5mzIpBuo
---
your computer off your desk. If your
cleaning lady is out to get you, it is much easier to create
software that creates a false and misleading sense of security,
than software that stops her.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
20zhgc
word, and dictionary attacks should be sufficiently
expensive that a strong password (not your ordinary password)
is secure.
Can anyone suggest a well reviewed, unpatented, protocol that
has the desired properties?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3Y
he attacks on MD*/SHA* are weak and esoteric. It is not so
fundamentally broken as to justify starting over.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
QVYtFQAELN4YlZ9xB60CvXTqW8QT
, the authorities received only selected
excerpts, only what the owner of the records chose to reveal.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
PS5fDA87MKS6uCbiF0gJ/R+39ekRuwLazrAsTyAa
4
ing - needs to be fixed by
implementing cryptographic procedures that are so old that they
are in danger of being forgetten.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
Dn3N69hcbr+mL/
s. So add
another 28 bits.
Moore's law tells us the attacker gains a bit every 18 months -
the attack merely means we have to go for larger widths sixteen
years ahead of schedule.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
Ged7CG
ghly equal. It is a potentially
disastrous one if one party can do violence with impunity to
the one with the ability to convincingly tell the truth.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
6B7i0tiB4vUHqQnAP6nXT2z+B+zLB8624
equally effective attack
> without using an MD5 collision.
I could circulate watermarked versions of copyrighted material
without it being apparent that they were watermarked.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
brRAUUDlwL/ZhPKf51gh
s that it conceals your threat model.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
aV25L9tGoz00uU3bzcY+rbFDV5nX9BCkK67CRwcd
4mBXnVakFBPiPRCdugeDolUdtnd8iueWgYFwR3Pch
-
The Cry
r than MD5, so
it seems to me that MD5 was considered harmful back in 1997,
though I did not know why at the time, and perhaps no one knew
why.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
bEcutcm49V2l4gs02N+hlx
crypto device would be programmed by burning new
proms, thus enabling easy reprogramming, while making it
resistant to trojans and viruses.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
Fkc1LRTOk91ROlSR8FZ74DmqbH
re it on a trusted machine. Just say no to Windows XP.
> It's easy, especially when he's storing a bearer bond worth a
> car.
What machine, attached to a network, using a web browser, and
sending and receiving mail, would you trust?
--digsig
James A. Donald
frost are already doing this.
http://jtcfrost.sourceforge.net/
If the music companies continue to try to hold back the tide,
this may be the best thing yet for encryption.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
vpu+9/zR0VeZ9yrq0tX02mDo/qom+zk9H
--
At 12:30 PM 9/7/2003 -0700, James A. Donald wrote:
> > To the extent that trust information is centrally handled,
> > as it is handled by browsers, it will tend to be applied in
> > ways that benefit the state and the central authority
On 7 Sep 2003 at 17:19, Anne &a
ublic key when they log on to an SSH server.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
+VOl3Vqd/2KPdwuRgmR7CoTexKy84DdSChLXr3rS
4WcxJQwYP0cvPgTXK3Xq5OaTtELGHKXqra0DHd90x
---
--
On 1 Sep 2003 at 19:17, Hadmut Danisch wrote:
> Is cryptography where security took the wrong branch?
True names is where security took the wrong branch. The entire
PKI structure has been rejected.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQ
s anyone who
tries to get a free certificate from Thawte will discover,
makes it difficult, expensive, and inconvenient to get
certificates.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
id/UsYl2xTf9Mswn+zhPXu3gZK4Hx7RMoDuc1LXZ
4TEx1/E
hat you are browsing if they have universal
monitoring However the potentially long delay between
publication and appearance means that freenet could, if
implemented correctly, prevent the authorities from knowing who
published what, even with universal monitoring, and even if
they did know who r
ime you visit the site.
In practice, if people were able to ensure they saw the same
cert every time they hit what is purportedly the same site,
this would take out most scams.
Unfortunately, no one is going to memorize fingerprints.
--digsig
James A. Donald
6YeGpsZR+nOTh/cG
--
James A. Donald:
> > Which is fine provided your code, rather than the framework
> > code provided the cookie, and provided you generated the
> > cookie in response to a valid login, as Ben Laurie does..
> > The framework, however, generally provides insecure
fine provided your code, rather than the framework
code provided the cookie, and provided you generated the cookie
in response to a valid login, as Ben Laurie does.. The
framework, however, generally provides insecure cookies.
--digsig
James A. Donald
6YeGpsZR+
--
On 14 Jun 2003 at 21:42, Ben Laurie wrote:
> The obvious answer is you always switch to a new session
> after login. Nothing cleverer is required, surely?
I had dreamed up some rathe complicated solutions.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3Tdz
l, and the gate is the
responsibility of the supplies and transport division"
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
HbAVQDehUS8SgfQqOI28BdF348siCWO9xi9Ep226
4yrN59HvscIQo8lQ44oxphi77XJ3ssx4FJUG6y2yd
--
--
James A. Donald wrote:
> > This flaw is massive, and the biggest villain is the server
> > side code created for Apache.
Ben Laurie
> This isn't the case. I analysed several sites I work on for
> attacks of the type described when this paper first came out.
> No
--
On 12 Jun 2003 at 16:25, Steve Schear wrote:
> > > http://www.acros.si/papers/session_fixation.pdf
"James A. Donald"
> > Wow.
> >
> > This flaw is massive, and the biggest villain is the server
> > side code created for Apache.
On 13 Jun 2003
long term, https must be amended to have a concept of
login and session, and make that sessionID available to the
server side coding environments.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
SnDt+rS7QWjKfmo0bTes8RJ5F6sGgF/gULJmRunl
have sufficed. Self signed public keys would have
worked even better.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
NoFj3E7m34BUCZIG2feG13OK1W+zx+gF7GsDX+Fm
40IAMrSyeCwPFMzRybwYkgWLZ2JE97Ao595KgemVp
rets, it
would help.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
B9cEiIa9s5fvgr0BsmE3D3+BgvAXXvyF1/xSIi0k
4m1RrAexqkSii4X39kqfzefd2laQEwFD0bhYHaELv
-
The Cryptography Mailing List
Uns
ther than to verisign.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
VBdyipPLv5JzjJ0eIFxxeMDsO30Us9Mvs7lmm2ka
4R5+YjVhKptjgGIVZsjTfX5nDogjTf2G8x7fRhKmN
-
The Cryptography Mailin
gt; non-internet, point-of-sale, debit, credit, ach,
> stored-value, etc).
I think you have put your finger right on the problem.
Certificates, https, and the entire PKI structure were designed
for an accountless world, but the problem is accounts.
--digsig
James A. D
es by default, it would make little difference to
security.
A wide variety of ways of getting big name certificates that
one should not have, have been discovered. Attackers never
showed much interest.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3Tdz
art, where the server, but
not the client, is supposedly authenticated, does not do much
good.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
9ZQw+0/xh1y28CkGulSQSVxewfy71qzXGHI8KJbN
--
James A. Donald:
> > I keep posting "you cannot do this using https", and people
> > keep replying "yes you can"
On 10 Jun 2003 at 1:52, John R. Levine wrote:
> I think there's two separate problems here. One is domain
> squatting. I've
e. The
solution, envisaged a long time ago, but not implemented
successfully, is not to use shared secrets.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
z/jW5FTj5fTxewjBZmMh+hI7TPK07m0Wi/ugRB/p
I keep posting "you cannot do this using https",
and people keep replying "yes you can"
No you cannot, cause if you could, paypal, e-gold,
e-bay, and the rest would not be suffering from the problem illustrated by scam
mails such as the following
(When you hit the submit button, guess wha
Attached is a spam mail that constitutes an attack on paypal similar
in effect and method to man in the middle.
The bottom line is that https just is not working. Its broken.
The fact that people keep using shared secrets is a symptom of https
not working.
The flaw in https is that you cannot
e been key administrator for several
companies, and have unfailingly found that I was the only
person capable of doing these operations at that company.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
v6gZFuZoUgyGH55ME+JoilJSfw5LrufrbWWB454U
ution that is almost
invisible to both parties, but it requires custom software on
both client and server.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
EWYCMfM1ZE4FqHNgG8Xxq4Raoo0u92HCJxUTm9d6
4UkMVch4UVf7oFF6jEx+Nj5WJffMhrKnlz65qZyH1
---
--
James A. Donald:
> > Suppose the e-gold, to prevent this sea of spam trying to
> > get people to login to fake e-gold sites, wanted people to
> > use public keys instead of shared secrets, making your
> > secret key the instrument that controls the account ins
--
James A. Donald:
> > Certificate caching is not the problem that needs solving.
> > The problem is all this spam attempting to fool people into
> > logging in to fake BofA websites and fake e-gold websites,
> > to steal their passwords or credit card numbers
On
ame user as
last time.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
q1a1Whb1YeRws7qoDm6h15qfDstFHciUyP2I4fte
42lCFXf0IqXfh5Mz2mFtznxv6N40EuqpKvQJhLBgS
-
The Cryptography Mailin
--
James A. Donald
> > > > Or to say the same thing in different words -- why
> > > > can't HTTPS be more like SSH?Why are we seeing a
> > > > snow storm of scam mails trying to get us to login to
> > > > e-g0ld.com?
Eric Rescor
;s schemes, perhaps other
people's similar schemes.
The fact that e-gold does not know what is going on suggests
that past attempts to support micropayments failed by putting
too great a burden on those seeking to participate.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwv
--
James A. Donald
> > Or to say the same thing in different words -- why can't
> > HTTPS be more like SSH?Why are we seeing a snow storm
> > of scam mails trying to get us to login to e-g0ld.com?
Eric Rescorla
> Because HTTPS is designed to let you talk to peo
private keys, and the networks are setup to rely
on shared secrets because there is no practical alternative.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
r9lUivpSt7tWiPOxVr17a9sjkgXnnbC5matqsa6/
4UovWiFVbzH8bFEhVsekeydmrrDmez+5/B/3ZSo4B
--
On 3 Jun 2003 at 15:04, James A. Donald wrote:
> I never figured out how to use a certificate to authenticate
> a client to a web server, how to make a web form available to
> one client and not another. Where do I start?
>
> What I and everyone else does is use a s
umber of
webservers. Was this what the people who created this protocol
intended?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
Y/QLPHyeZqXrSgYZI9nQsjsk7krbgSGfCZ0BLpOt
4gqWFWtV3GiEwWupSGyR895BQo0u2e4MmlgtpP/po
301 - 384 of 384 matches
Mail list logo