Re: "PGP Encryption Proves Powerful"

2003-05-31 Thread Anton Stiglic 

So what happened to passphrase guessing?  That's got to be
one of the weakest links.  Unless their private key wasn't
stored on the device?

--Anton

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: "PGP Encryption Proves Powerful"

2003-05-31 Thread David Honig 
At 01:22 PM 5/29/03 -0400, Ian Grigg wrote:
>The following appears to be a bone fide case of a
>threat model in action against the PGP program.
>
>Leaving aside commentary on the pros and cons
>within this example, there is a desparate lack of
>real experience in how crypto systems are attacked.

There's also the possibility of disinfo.  For instance,
we all know that more competent agencies than the FBI
were involved.  

The real test of TLA abilities will be to see how many 
Red Brigaders are captured in coming months.  Assuming
that those captures are reported --which they might not,
to conceal TLA abilities.  (Remember Coventry?)

On the other hand, continued R.B. activities would be 
evidence that their hardware, software, and opsec were strong.





-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Nullsoft's WASTE communication system

2003-05-31 Thread R. A. Hettinga 
At 1:33 AM -0700 5/29/03, Bill Stewart wrote:
>Nullsoft, who did Winamp and Gnutella, just released a package called W A
>S T E
>which does encrypted communications within small groups of people.

It's been pulled -- and mirrored :-). Nullsoft's part of AOHell. Gee, I
wonder how *that* happened...

Probably why they GNUed it, though.

Here's one mirror I found, through Google News:



Don't know if it's still working, as I run a Mac anyway. Lots of
slashdotters were talking about doing linux ports as soon as the
announcement came out, though.

Cheers,
RAH

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: "PGP Encryption Proves Powerful"

2003-05-31 Thread bear 

Aside from the whole governments-and-people-and-terrorists thing,
I will say that there was an event last year at my former employers'
that made us very glad we were using PGP.

An engineer's laptop got stolen. With the entire source tree of an
enterprise application that licensed for $25K a seat on it.  Fortunately,
since it was in an encrypted archive, we didn't need to worry too much.

I don't know how many "incidents" like this happen every year.  I don't
think governments care that much about the kind of risk companies not
using crypto to protect their livelihoods take.  They don't become aware
of crypto when it averts trouble.  They become aware of crypto when it
causes trouble.

Bear


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: "PGP Encryption Proves Powerful"

2003-05-31 Thread John Young 
If the FBI cannot crack PGP that does not mean other
agencies with greater prowess cannot. It is unlikely that
the capability to crack PGP would be publicly revealed
for that would close an invaluable source of information.

Intel crackers hardly ever reveal their most essential
tools, though there are orchestrated releases of
capability to mislead.

In the case of the VENONA decrypts, there have been
only partial public releases, along with misleading stories
about how the decrypts were done -- the official story they
were done only by dedicated cryptanalysts without help
of code books or other assists, that Russian carelessness
of OTP preparation provided the crib. Unofficial stories are 
that Russian codebooks were used, at least for some of the
decrypts -- Thomas Powers, for one, recounts this version
in several reprinted essays in "The Intelligence Wars." That
cover stories have been arranged for how the deciphering 
was actually done, some not privy to the hardworking NSA
crackers.

An undisclosed amount of the VENONA messages remain
undeciphered, or at least not made public. Speculation is
that NSA and whomever do not want to tell the full story of
the decrypt capability, again, as with most intelligence 
agencies it is more beneficial to never reveal full capabilities,
in particular not to temporary allies with the understanding
that allies always spy on each other, whether those are US 
TLAs or foreign friends.

Ther recent opening of domestic cooperation among the intel
agencies and law enforcement will not likely get any of them
to share fully.

Still, it is impressive that PRZ valiantly argues that PGP is
algorithmically impregnable. That should satisfy its users as
well as its crackers. An uncracked code is the perfect spying
tool. Based on a mulitude of accounts of sophisticated 
espionage deceptions it might be suspected that is the origin 
of PK crypto, and why it was leaked, and leaked again, and
crypto export was eased, then greased again.

Presumably there will be periodic reports of cryptographic
impregnability to foster wider if not wiser use.





-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Nullsoft's WASTE communication system

2003-05-31 Thread Eric Rescorla 
Bill Stewart <[EMAIL PROTECTED]> writes:

> http://www.nullsoft.com/free/waste/ - Overview
> http://www.nullsoft.com/free/waste/security.html - Security section
> http://www.nullsoft.com/free/waste/network.html - Network design
> http://slashdot.org/article.pl?sid=03/05/29/0140241&mode=thread&tid=126&tid=93
> - Slashdot discusssion
> 
> 
> Nullsoft, who did Winamp and Gnutella, just released a package called W A S T E
> which does encrypted communications within small groups of people.
> It doesn't appear to have had outside analysis of its security yet,
> but they do invite it, and they say it needs some work.
It's utterly baffling to me why people like this choose to design
their own thing rather than just using SSL. I've looked through their
design documents and glanced at their code they don't provide any
security features that SSL doesn't, and they appear to have made a
number of questionable design decisions:

(0) Their messages don't appear have any sequence numbers, making them
potentially open to a wide variety of integrity attacks. They have some sort
of guid but unless you intend to keep a record of all guids through
a session (horrible) this is only a partial fix for replay and 
not a fix at all for removal.
(1) They use MD5 instead of HMAC for message authentication. Scary.
(2) They use the same encryption keys in both directions. At least
they have the sense to run separate PCBC counters. However,
based on the code it doesn't look like they reset the PCBC
counters after a bad message is received so you may be able to
mount a reflection attack.
(3) They use Blowfish (why not AES?) in PCBC mode (huh?)

I don't think it's worth much time analyzing this... Just one
more case of NIH.

-Ekr

-- 
[Eric Rescorla   [EMAIL PROTECTED]
   Web Log: http://www.rtfm.com/movabletype



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

web apps with large volumes of bidirectional http traffic

2003-05-31 Thread Ryan Lackey 
I need to find some relatively widely deployed applications which have
frequent user interactions (rapid clicking on links, from as large a
population of links as possible, and also form filling and such).

(it should be pretty obvious what this is for)

I'd like:

0) *rapid*/frequent user interactions; fast clicking on things (like every
second, no more than 5 seconds)

1) "sticky"...long interactions with a given site (on the order of hours)
(also all links need to be under the same url/same server)

2) large number of potential links for users to click on, with
desirable properties for click distribution (I *think* I want them to
be nearly equally likely, but I might just want a defined
distribution, or I might even want the opposite of that)

3) relatively small data sizes for downloaded data, UNLESS downloaded
data is generated unique and "randomly"

4) widely deployed already on the internet, or compelling enough that
there would be a decent number of potential server operators.
Obviously I could *create* an app which has the desirable
characteristics, but I'd like something which can deal with existing
data or apps served over the internet)

5) good data on how likely users are to click on things, how fast they
click, etc., so one could easily operate within those parameters.

So far, the best ideas:
1) Porn
2) Mailing lists with lots of internal links (next, reply, etc.)
3) Sites with search engines with lots of linked data (encyclopedia,
etc.)
4) html games (or flash, maybe) -- either imagemaps, or just tables,
things like chess, or puzzles, or whatever

I'd definitely appreciate any suggestions on possible web apps which
meet these criteria; reply to lists or [EMAIL PROTECTED]

I'll post when it's ready.

Thanks,
Ryan
-- 
Ryan Lackey [RL960-RIPE AS24812]   [EMAIL PROTECTED]   +1 202 258 9251
OpenPGP DH 4096: B8B8 3D95 F940 9760 C64B   DE90 07AD BE07 D2E0 301F

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: "PGP Encryption Proves Powerful"

2003-05-31 Thread Arnold G. Reinhold 
At 1:22 PM -0400 5/29/03, Ian Grigg wrote:
The following appears to be a bone fide case of a
threat model in action against the PGP program.
Leaving aside commentary on the pros and cons
within this example, there is a desparate lack of
real experience in how crypto systems are attacked.
IMHO, this leads to some rather poorly chosen
engineering decisions that have shown themselves
to stymie or halt the success of otherwise good
crypto systems.
Does anyone know of a repository for real life
attacks on crypto systems?  Or are we stuck with
theoretical and academic threats when building
new systems?
iang
There is a lot of material from the World War II era (e.g Silk and 
Cyanide by Leo Marks) and the early cold war (e.g. 
http://www.nsa.gov/docs/venona/).

Government cryptographic successes are usually highly classified and 
kept that way for decades. There was one recent story about the FBI's 
apparent use of a keyboard logger to get a accused organized 
criminal's password. The latest U.S. Government wiretap report 
http://www.uscourts.gov/wiretap02/contents.html (they are now 
required to report on encryption incidents) says: "Encryption was 
reported to have been encountered in 16 wiretaps terminated in 2002 
and in 18 wiretaps terminated in calendar year 2001 or earlier but 
reported for the first time in 2002; however in none of these case 
was encryption reported to have prevented law enforcement officials 
from obtaining the plain text of the communications intercepted." By 
comparison they reported 1358 intercepts authorized in 2002.

Arnold Reinhold

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]