Re: The meat with multiple PGP subkeys

2003-06-18 Thread David Shaw 
On Tue, Jun 17, 2003 at 11:42:13PM +0200, martin f krafft wrote:
> My key, 220BC883330C4A75, has multiple encryption subkeys, and it's
> about to get another one on Friday, as my current encryption key
> expires.
> 
> A lot of people are reporting that they cannot encrypt to me, due to
> an unusable public key. It only seems to work if they use modern
> software and obtain my key from keyserver.kjsl.com:11371 or the
> various URLs where it sits.
> 
> I am already working with keyserver maintainers to get their
> keyservers up to par, but before this can be completed, I feel that
> I need to get an exact understanding of what's going on.
> 
> Could someone help me clean up this understanding?
> 
> - What is the problem with multiple subkeys?

The problem is that the PKS keyserver was not written to handle keys
with multiple subkeys.  This was around the era of PGP 5.0, RFC-2440
hadn't been published yet, and there was some uncertainty on that
topic.  So PKS was never written to handle multiple subkeys, and as an
unfortunate side effect of that, it mangled any keys it saw that did
have multiple subkeys.  On top of that, since keyservers synchronize
with each other, every other server would learn this mangled key.

Alas, PKS is still in wide use, but never got the ability to handle
multiple subkeys.  I contributed some fixes so PKS would at least not
mangle keys, but not every keyserver has upgraded.

> - Are they in accordance with the RFC (2440)?

Yes, and both PGP and GnuPG handle them correctly.  It's just this one
particular keyserver program that doesn't.

> - Are others experiencing these problems, and how do you deal with
>   them?
>
> - Is there a solution in the works?

The ultimate solution is to either fix or replace PKS.  Both of these
have been happening, with a fair edge to the "replace" camp.  There
are several different keyservers (SKS [1], ONAK [2], etc) that are
truly 2440 compliant.  SKS is probably the most mature at this point,
and can replace a PKS installation.

Note that the LDAP keyserver from PGP.com works correctly as well, but
is not a free (in cost and in freedom) product so is generally not
used as part of the public keyserver net.  The PGP folks run one at
ldap://keyserver.pgp.com, but it is not synchronized with the rest of
the servers.

A reasonable question would be "Why don't all the PKS operators
replace their server with SKS or something else?".  I don't have a
good answer to that.  It's certainly been asked.[3]

Recently, the number of working keyservers reached the point where it
became possible to establish a simple way to reach them.  Similar to
the "wwwkeys.pgp.net" round robin keyserver address, the
"subkeys.pgp.net" name will reach one of the unbroken keyservers
(keyserver.kjsl.com being one of them), ignoring the broken ones.

So, the short answer to all of this is to use "subkeys.pgp.net" as
your keyserver and you should be fine.  The next version of GnuPG will
ship with this set as the default keyserver.

David

[1] http://sks.sourceforge.net/

[2] http://www.earth.li/projectpurple/progs/onak.html

[3] http://lists.kjsl.com/pipermail/pgp-keyserver-folk/2003-March/001071.html


pgp0.pgp
Description: PGP signature

Pre-cursor to Non-Secret Encryption

2003-06-18 Thread John Young 
James Ellis, GCHQ, in his account of the development of non-secret
encryption credits a Bell Laboratories 1944 report  on "Project
C-43" for stimulating his conception:


http://www.cesg.gov.uk/publications/media/nsecret/possnse.pdf

  The Possibility of Secure Non-Secret Digital Encryption
  J. H. Ellis, January 1970

  Reference: (1) "Final report on project C43." Bell Telephone 
  Laboratory, October, 1944, p.23.

The Bell lab paper appears not to be online.

Brian Durham notes that NSA has listed in its Open Door archive of 
declassified crypto papers several of which refer to a Project 
C-43 which investigated from 1941-1944 decoding of speech codes.


http://www.nsa.gov/programs/opendoor/narafindaid.html

  NR 4242 ZEMA172 35374A 19410521 PROJECT C-43 PRELIMINARY 
  REPORTS

  NR 4243 ZEMA172 35375A 19411215 PROJECT C43 PRELIMINARY 
  AND PROGRESS REPORTS

  NR 4675 ZEMA43 21276A 19430130 PROJECT C-43 CONTINUATION 
  OF DECODING SPEECH CODES

  NR 3391 CBPM44 24215A 19441012 PROJECT C-43 DECODING 
  SPEECH CODES

The date of the last, October 12, 1944, corresponds to that of the
Ellis citation. If this is the paper Ellis is referring to, it is worth
noting 
the dates of the earlier reports, two in 1941 and one in 1943.

Two other reports in the NSA archive may be related:

  NR 2416 CBLM17 5452A 19420529 NRDC PROJECT C-32: AC 
  AND EC CASE NO. 22

  NR 4674 ZEMA43 21275A 19420131 FINAL REPORT ON 
  PROJECT C-32 SPEECH PRIVACY DECODING, 1942

Brian Durham will get copies of the paper for putting online,
but that may take a while. 

Meanwhile, we would appreciate hearing from anyone who 
has read the papers or may have copies of them to share
for publication.

Related: We have a three-year-old FOIA request to NSA for 
information on:

  The invention, discovery and development of "non-secret 
  encryption" (NSE) and public key cryptography (PKC) by 
  United Kingdom, United States, or any other nation's 
  intelligence and cryptology agencies, prior to, parallel with, 
  or subsequent to, the PKC work of Diffie-Hellman-Merkle. 

NSA has recently said that some responsive information 
may be released in the near future, although it is not clear if 
that is weeks or months or years away.



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Session Fixation Vulnerability in Web Based Apps

2003-06-18 Thread Nick Popoff 

On Tue, 17 Jun 2003, Ian Grigg wrote:
> does anyone know how the easy way to secure a PHP website against
> session_fixation?

I noticed that the PHP documentation includes a new section on session
insecurity and a link to the paper on session fixation.

http://www.php.net/manual/en/ref.session.php

The latest version of PHP (4.3.2) includes a new function which should be
called by your login processing page as soon as you mark the session as
logged in to generate a new session ID.  That should solve the session
fixation problem since any previous session is discarded by this function.

http://www.php.net/manual/en/function.session-regenerate-id.php

Unfortunately it does seem that anyone using the PHP session generator is
vulnerable until they apply this change. I suspect the PHP mailing lists
have been buzzing about this.  Further discussion of PHP should probably
go there rather than here.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

PODC early registration and hotel deadlines (June 18/19)

2003-06-18 Thread Amir Herzberg 

Dear Colleagues,

One final reminder about the PODC early registration deadline, which
is TOMORROW, June 18.  There is a link to the online registration on
the PODC 2003 webpage at:
http://www.podc.org/podc2003/

Also, the deadline to get the low conference rate at the hotel has been
extended to THIS THURSDAY, June 19th, so book your room asap!
We are trying to broaden PODC, so please forward this reminder to
anyone who might be interested in attending PODC 2003, including
people who may not regularly attend PODC, but may be attracted to come
this year because of the special security track or because they are
local (in the Boston area).
SPECIAL NOTE TO AUTHORS:
We only have email addresses for the contact authors of each paper,
so please forward this reminder to your co-authors!
I apologize for the extra email to those who have already registered,
and for any duplicates that you may receive.
I look forward to seeing many of you at PODC in July!

 Victor Luchangco
 PODC 2003 Publicity Chair
Amir Herzberg
http://amir.herzberg.name
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The meat with multiple PGP subkeys

2003-06-18 Thread Werner Koch 
On Tue, 17 Jun 2003 23:42:13 +0200, martin f krafft said:

> an unusable public key. It only seems to work if they use modern
> software and obtain my key from keyserver.kjsl.com:11371 or the

You may also want to use subkeys.pgp.net.  These are servers running
software not eating keys.

> - What is the problem with multiple subkeys?

pksd used to have only a simple hack to support *one* subkey but bo
revocation for them etc.  If they encounter a key with an "unknown"
structre they start to eat packets or swap them around.

Updated pksd versions are much better and won't eat them anymore.
However due to the syncronisation they can't do much about already
garbled keys except for removing invalid parts.

> - Are they in accordance with the RFC (2440)?

Sure.

> - Are others experiencing these problems, and how do you deal with
>   them?

I have these problems for may years now and as a workaround I use the
X-Request-PGP header to point to a valid source of my key.

> - Is there a solution in the works?

There is a couple of new keyserver software actually in use but not
yet widespread enough.  subkeys.pgp.net is a goog start.

> - If not, has anyone already thought about how to solve this mess?

All keyserver operators should update to the new pksd or even better
use one of the modern servers.


Shalom-Salam,

   Werner

-- 
Werner Koch  <[EMAIL PROTECTED]>
The GnuPG Expertshttp://g10code.com
Free Software Foundation Europe  http://fsfeurope.org


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Pre-cursor to Non-Secret Encryption

2003-06-18 Thread Fredrik Henbjork 
John Young <[EMAIL PROTECTED]> wrote:
> James Ellis, GCHQ, in his account of the development of non-secret
> encryption credits a Bell Laboratories 1944 report  on "Project
> C-43" for stimulating his conception:
> 
> 
> http://www.cesg.gov.uk/publications/media/nsecret/possnse.pdf

The URL above does not work. The new one is:

http://www.cesg.gov.uk/site/publications/media/nsecret/possnse.pdf

Fredrik Henbjork <[EMAIL PROTECTED]>


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The meat with multiple PGP subkeys

2003-06-18 Thread Stefan Kelm 
David,

> A reasonable question would be "Why don't all the PKS operators
> replace their server with SKS or something else?".  I don't have a
> good answer to that.  It's certainly been asked.[3]

...and has been answered a number of times. The thing is (and most people 
seem to forget about this now and then) that most, if not all, of the 
pgp.net server operators do run their servers in their spare time. Since 
pksd has a long history of not being overly stable one is happy once the 
server is up and running. Thus, the never-change-a-running-system 
paradigm is being lived in this realm.  

Cheers,

Stefan.

Security Awareness Symposium - 24.-25.06.2003, Karlsruhe
http://www.security-awareness-symposium.de/

Dipl.-Inform. Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Albert-Nestler-Strasse 9, D-76131 Karlsruhe

Tel. +49 721 6105-461, Fax +49 721 6105-455
E-Mail [EMAIL PROTECTED], http://www.secorvo.de/
---
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Pre-cursor to Non-Secret Encryption

2003-06-18 Thread Dave Howe 
John Young wrote:
> James Ellis, GCHQ, in his account of the development of non-secret
> encryption credits a Bell Laboratories 1944 report  on "Project
> C-43" for stimulating his conception:
However the concept seems familiar enough - unless I am missing something, a
PRNG (n for noise rather than number this time) in sync with a similar PRNG
at the recipient end is mixed with the plaintext signal to give a
cryptotext; the matching unit subtracts the same values from the received
signal to give the original plaintext.  If it were digital we would probably
xor it :)


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The meat with multiple PGP subkeys

2003-06-18 Thread David Shaw 
On Wed, Jun 18, 2003 at 03:47:01PM +0200, Stefan Kelm wrote:
> David,
> 
> > A reasonable question would be "Why don't all the PKS operators
> > replace their server with SKS or something else?".  I don't have a
> > good answer to that.  It's certainly been asked.[3]
> 
> ...and has been answered a number of times. The thing is (and most people 
> seem to forget about this now and then) that most, if not all, of the 
> pgp.net server operators do run their servers in their spare time. Since 
> pksd has a long history of not being overly stable one is happy once the 
> server is up and running. Thus, the never-change-a-running-system 
> paradigm is being lived in this realm.  

These servers are *broken*, and harming the use of PGP.  Countless
FAQs and other documents extol the keyserver network, and so new PGP
users try it and get their keys eaten.  One would hope that
never-change-a-running-system wouldn't apply when the running system
was actively causing damage.  It's not just subkeys: PKS allows for a
number of denial of service attacks against keys stored in it.

It's a question, but the way I see it, if a keyserver operator doesn't
want to fix critical bugs for fear of messing with a stable system,
then just turn the thing off.  That's stable too, and doesn't harm
anyone.

At least now there is subkeys.pgp.net so users can ignore the servers
that aren't being fixed (and we "just" have to educate everyone to use
it).

David

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Pre-cursor to Non-Secret Encryption

2003-06-18 Thread Steven M. Bellovin 
In message <[EMAIL PROTECTED]>, John Young writes:

>
>Related: We have a three-year-old FOIA request to NSA for 
>information on:
>
>  The invention, discovery and development of "non-secret 
>  encryption" (NSE) and public key cryptography (PKC) by 
>  United Kingdom, United States, or any other nation's 
>  intelligence and cryptology agencies, prior to, parallel with, 
>  or subsequent to, the PKC work of Diffie-Hellman-Merkle. 
>
>NSA has recently said that some responsive information 
>may be released in the near future, although it is not clear if 
>that is weeks or months or years away.
>

Can you amend that to ask for digital signature information, too?  From 
my research on Permissive Action Links, I think there's some chance 
that digital signatures were invented separately, possibly by NSA 
before GCHQ's non-secret encryption work.

--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: The meat with multiple PGP subkeys

2003-06-18 Thread martin f krafft 
also sprach David Shaw <[EMAIL PROTECTED]> [2003.06.18.0240 +0200]:
> The problem is that the PKS keyserver was not written to handle keys
> with multiple subkeys.

[snip]

Thanks for the explanation. I didn't know about subkeys.pgp.net yet.

Moreover, I second the belief that the keyservers must be fixed as
they are really harming the PGP infrastructure.

I support Jason's work:

  http://keyserver.kjsl.com/~jharris/keyserver.html

and am already talking the wwwkeys.ch.pgp.net people into upgrading.

Maybe everybody can pick a keyserver of their choice and sit on the
admin's face until s/he gets it... ? Let's riot!

Can someone tell me why the heck SKS is written in Ocaml? What an
annoyance is that? No offence to the Ocaml people here...

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html
get my key here: http://madduck.net/me/gpg/publickey
 
"there is more stupidity than hydrogen in the universe,
 and it has a longer shelf life."
-- frank zappa


pgp0.pgp
Description: PGP signature

Part II of Heritage TPM study released.

2003-06-18 Thread M Taylor 

Date: Wed, 18 Jun 2003 14:00:59 -0400 (EDT)
From: Russell McOrmond <[EMAIL PROTECTED]>
To: General Copyright Discussions <[EMAIL PROTECTED]>


  I have not had a chance to read this yet, but just referencing it in 
case others did not notice it yet.


Date on file is  Date modified: 2003/06/04
Just noticed that the dates on the document say Final version: April 2002


Here is a link to the HTML version of both parts:
http://www.pch.gc.ca/progs/ac-ca/progs/pda-cpb/pubs/protection/index_e.cfm
http://www.pch.gc.ca/progs/ac-ca/progs/pda-cpb/pubs/protectionII/index_e.cfm


PDF version linked from here:
http://www.pch.gc.ca/progs/ac-ca/progs/pda-cpb/pubs/index_e.cfm#studies

---
 Russell McOrmond, Internet Consultant:  

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]